PT-2019-16408 · Mongodb+3 · Mongodb Server+4
Mitch Wasson
·
Publicado
2019-08-06
·
Atualizado
2026-02-23
·
CVE-2019-2386
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MongoDB Server versions prior to 4.0.9
MongoDB Server versions prior to 3.6.13
MongoDB Server versions prior to 3.4.22
Description
The improper invalidation of authorization sessions in MongoDB Server allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.
Recommendations
For MongoDB Server versions prior to 4.0.9, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts.
For MongoDB Server versions prior to 3.6.13, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts.
For MongoDB Server versions prior to 3.4.22, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts.
Exploit
Correção
Insufficient Session Expiration
Improper Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Linuxmint
Mongodb Server
Mongodb
Ubuntu