PT-2019-16408 · Mongodb+3 · Mongodb Server+4
Mitch Wasson
·
Published
2019-08-06
·
Updated
2026-02-23
·
CVE-2019-2386
CVSS v3.1
7.1
High
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MongoDB Server versions prior to 4.0.9
MongoDB Server versions prior to 3.6.13
MongoDB Server versions prior to 3.4.22
Description
The improper invalidation of authorization sessions in MongoDB Server allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.
Recommendations
For MongoDB Server versions prior to 4.0.9, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts.
For MongoDB Server versions prior to 3.6.13, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts.
For MongoDB Server versions prior to 3.4.22, restart any nodes which may have had active user authorization sessions after deleting one or more users, and refrain from creating user accounts with the same name as previously deleted accounts.
Exploit
Fix
Insufficient Session Expiration
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Linuxmint
Mongodb Server
Mongodb
Ubuntu