{"id":"CVE-2016-3104","details":"mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.","modified":"2026-04-10T03:51:00.405187Z","published":"2017-04-14T18:59:00.250Z","references":[{"type":"ADVISORY","url":"https://jira.mongodb.org/browse/SERVER-24378"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94929"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1324496"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"0"},{"last_affected":"ce2d666c04b4a80af58e8bbb3388b0680e8cfeb6"},{"introduced":"0"},{"last_affected":"1c1c76aeca21c5983dc178920f5052c298db616c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.4.0"},{"introduced":"0"},{"last_affected":"2.6.0"}]}}],"versions":["0.9.1","1.7-cut","r0.0.3","r0.0.4_rc1","r0.0.6_rc1","r0.0.7_rc1","r0.0.7_rc2","r0.0.7_rc3","r0.0.7_rc4","r0.0.9_rc1","r0.1.0_rc1","r0.1.2_rc1","r0.1.3_rc1","r0.1.4_rc1","r0.1.5_rc1","r0.1.6_rc1","r0.2.1","r0.9.1","r0.9.10","r0.9.5","r0.9.6","r0.9.8","r0.9.9","r1.1.1","r1.1.3","r1.3.0","r1.3.4","r1.5.0","r1.5.1","r1.5.2","r1.5.5","r1.5.6","r1.7.5","r1.7.6","r1.8.0-rc0","r2.1.1","r2.1.2","r2.2.0-rc0","r2.3.1","r2.3.2","r2.4.0","r2.4.0-rc0","r2.4.0-rc1","r2.4.0-rc2","r2.4.0-rc3","r2.4.0.rc1","r2.5.1","r2.5.2","r2.5.3","r2.5.4","r2.5.5","r2.6.0","r2.6.0-rc0","r2.6.0-rc1","r2.6.0-rc2","r2.6.0-rc3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3104.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}