{"id":"CVE-2019-2392","details":"A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.","modified":"2026-04-11T09:39:58.473811Z","published":"2020-11-23T16:15:12.963Z","references":[{"type":"REPORT","url":"https://jira.mongodb.org/browse/SERVER-43699"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"a57d8e71e6998a2d0afde7edc11bd23e5661c915"},{"fixed":"39c200878284912f19553901a6fea4b31531a899"},{"introduced":"3b07af3d4f471ae89e8186d33bbb1d5259597d51"},{"fixed":"e2416422da84a0b63cde2397d60b521758b56d1b"},{"introduced":"a4b751dcf51dd249c5865812b390cfd1c0129c30"},{"fixed":"06402114114ffc5146fd4b55402c96f1dc9ec4b5"},{"introduced":"563487e100c4215e2dce98d0af2a6a5a2d67c5cf"},{"fixed":"ad91a93a5a31e175f5cbf8c69561e788bbc55ce1"}],"database_specific":{"versions":[{"introduced":"3.6.0"},{"fixed":"3.6.20"},{"introduced":"4.0.0"},{"fixed":"4.0.20"},{"introduced":"4.2.0"},{"fixed":"4.2.9"},{"introduced":"4.4.0"},{"fixed":"4.4.1"}]}}],"versions":["r3.6.0","r3.6.1","r3.6.1-rc0","r3.6.1-rc1","r3.6.10","r3.6.10-rc0","r3.6.10-rc1","r3.6.11","r3.6.11-rc0","r3.6.11-rc1","r3.6.11-rc2","r3.6.12","r3.6.12-rc0","r3.6.12-rc1","r3.6.13","r3.6.13-rc0","r3.6.13-rc1","r3.6.14","r3.6.14-rc0","r3.6.15","r3.6.15-rc0","r3.6.15-rc1","r3.6.16","r3.6.16-rc0","r3.6.17","r3.6.17-rc0","r3.6.18","r3.6.18-rc0","r3.6.19","r3.6.19-rc0","r3.6.2","r3.6.2-rc0","r3.6.20-rc0","r3.6.20-rc1","r3.6.3","r3.6.3-rc0","r3.6.3-rc1","r3.6.4","r3.6.4-rc0","r3.6.5","r3.6.5-rc0","r3.6.6","r3.6.6-rc0","r3.6.7","r3.6.7-rc0","r3.6.7-rc1","r3.6.8","r3.6.8-rc0","r3.6.8-rc1","r3.6.9","r3.6.9-rc0","r4.0.0","r4.0.1","r4.0.1-rc0","r4.0.1-rc1","r4.0.10","r4.0.10-rc0","r4.0.10-rc1","r4.0.11","r4.0.11-rc0","r4.0.12","r4.0.12-rc0","r4.0.12-rc1","r4.0.12-rc2","r4.0.13","r4.0.13-rc0","r4.0.14","r4.0.14-rc0","r4.0.14-rc1","r4.0.15","r4.0.15-rc0","r4.0.16","r4.0.16-rc0","r4.0.17","r4.0.17-rc0","r4.0.18","r4.0.18-rc0","r4.0.19","r4.0.19-rc0","r4.0.2","r4.0.2-rc0","r4.0.3","r4.0.3-rc0","r4.0.4","r4.0.4-rc0","r4.0.4-rc1","r4.0.4-rc2","r4.0.5","r4.0.5-rc0","r4.0.5-rc1","r4.0.6","r4.0.6-rc0","r4.0.6-rc1","r4.0.7","r4.0.7-rc0","r4.0.7-rc1","r4.0.8","r4.0.8-rc0","r4.0.9","r4.0.9-rc0","r4.2.0","r4.2.1","r4.2.1-rc0","r4.2.2","r4.2.2-rc0","r4.2.2-rc1","r4.2.3","r4.2.3-rc0","r4.2.3-rc1","r4.2.4","r4.2.4-rc0","r4.2.5","r4.2.5-rc0","r4.2.5-rc1","r4.2.6","r4.2.6-rc0","r4.2.7","r4.2.7-rc0","r4.2.7-rc1","r4.2.8","r4.2.8-rc0","r4.4.0","r4.4.1-rc0","r4.4.1-rc1","r4.4.1-rc2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T09:39:58Z","vanir_signatures":[{"deprecated":false,"target":{"file":"src/third_party/wiredtiger/src/txn/txn_recover.c","function":"__wt_txn_recover"},"id":"CVE-2019-2392-2d37e6c3","signature_type":"Function","digest":{"function_hash":"151262211054760185720127152001316281250","length":5307},"source":"https://github.com/mongodb/mongo/commit/ad91a93a5a31e175f5cbf8c69561e788bbc55ce1","signature_version":"v1"},{"deprecated":false,"target":{"file":"src/third_party/wiredtiger/src/txn/txn_recover.c","function":"__recovery_file_scan"},"id":"CVE-2019-2392-6ed27bda","signature_type":"Function","digest":{"function_hash":"222802404687574253373945116552049107396","length":595},"source":"https://github.com/mongodb/mongo/commit/ad91a93a5a31e175f5cbf8c69561e788bbc55ce1","signature_version":"v1"},{"deprecated":false,"target":{"file":"src/third_party/wiredtiger/src/txn/txn_recover.c"},"id":"CVE-2019-2392-98d23718","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["277395883631913544235843059429904341778","190131020086289323787365361718434822041","156593639150803104870368656550091158247","254599983326529039473066318940603712053","246215242810397006687658517823238030194","30585347245087757459584332338861806407","161438447538539267520882034343628408421","313471203792529671136136365005831013652","123414515668546916026728107986940604788","154943114112322522419481562731002026669","36833237464877143329818463633626119100","89153525433556070057976587890049189048"]},"source":"https://github.com/mongodb/mongo/commit/ad91a93a5a31e175f5cbf8c69561e788bbc55ce1","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-2392.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}