Mitch Wasson

**Name of the Vulnerable Software and Affected Versions** MongoDB Server versions prior to 4.0.9 MongoDB Server versions prior to 3.6.13 MongoDB Server versions prior to 3.4.22 **Description** The improper invalidation of authorization sessions in MongoDB Server allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. **Recommendations** For MongoDB Server versions prior to 4.0.9, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts. For MongoDB Server versions prior to 3.6.13, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts. For MongoDB Server versions prior to 3.4.22, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts.