MongodbCVE-2019-2386CVE-2019-2386
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
44.1%
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated userβs session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.
Workaround:
After deleting one or more users, restart any nodes which may have had active user authorization sessions.
Refrain from creating user accounts with the same name as previously deleted accounts.
Affected configurations
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "MongoDB Server",
"vendor": "MongoDB Inc.",
"versions": [
{
"lessThan": "4.0.9",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThan": "3.6.13",
"status": "affected",
"version": "3.6",
"versionType": "custom"
},
{
"lessThan": "3.4.22",
"status": "affected",
"version": "3.4",
"versionType": "custom"
}
]
}
]References
Social References
More
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
44.1%