CVE-2021-32040 (https://jira.mongodb.org/browse/SERVER-58203): https://jira.mongodb.org/browse/SERVER-60218 https://jira.mongodb.org/browse/SERVER-59299 It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16. Fix in 5.0.4, 4.4.11, 4.2.16, please stabilize fixed versions and bump the 4.4.x branch.
CVE-2022-24272 (https://jira.mongodb.org/browse/SERVER-63968): An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.
no vulnerable version in tree anymore AFAIK
(In reply to Ultrabug from comment #2) > no vulnerable version in tree anymore AFAIK The security team is supposed to take care of closing security bugs.
I apologize, you're right
