Lucene search
Redhat.comRH:CVE-2019-2386HistoryAug 27, 2019 - 6:21 p.m.
CVE-2019-2386
2019-08-2718:21:34
redhat.com
access.redhat.com
13
EPSS
0.001
Percentile
44.1%
A session expiration flaw was discovered in MongoDB. After a user is deleted, the session tokens for that user do not expire and can be reused if a new user is created with the same name. An attacker with access to a MongoDB user could exploit this flaw to gain access to the new user account.
Mitigation
This vulnerability can be mitigated by either of two administrative practices:
- Whenever a user is deleted, restart all nodes where that user may have an active session
- When a user is deleted, ensure than a new user with the same name will never be created
If your mongodb instance is deployed in a situation where users never need to be deleted, or one of the above mitigations can be applied, this vulnerability can not be exploited.
Related
prion
prion
Authorization
2019-08-06 19:15:00
ubuntu
ubuntu
MongoDB vulnerability
2021-08-26 00:00:00
ubuntucve
ubuntucve
CVE-2019-2386
2019-08-06 00:00:00
nvd
nvd
CVE-2019-2386
2019-08-06 19:15:13
openvas
openvas
cvelist
cvelist
CVE-2019-2386 Authorization session conflation
2019-08-06 18:32:07
osv
osv
mongodb vulnerability
2021-08-26 01:55:29
CVE-2019-2386
2019-08-06 19:15:13
freebsd
freebsd
mongodb -- Attach IDs to users
2019-08-06 00:00:00
cve
cve
CVE-2019-2386
2019-08-06 19:15:13
debiancve
debiancve
CVE-2019-2386
2019-08-06 19:15:00
ibm
ibm
nessus
nessus
Ubuntu 18.04 LTS / 20.04 LTS : MongoDB vulnerability (USN-5052-1)
2021-08-26 00:00:00
mongodb
mongodb
CVE-2019-2386
2019-08-06 18:15:24
talos
talos
MongoDB Server session reuse vulnerability
2019-08-06 00:00:00