CVE-2019-2386

2019-08-0600:00:00

ubuntu.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

44.1%

JSON

After user deletion in MongoDB Server the improper invalidation of
authorization sessions allows an authenticated user’s session to persist
and become conflated with new accounts, if those accounts reuse the names
of deleted ones. This issue affects MongoDB Server v4.0 versions prior to
4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4
versions prior to 3.4.22. Workaround: After deleting one or more users,
restart any nodes which may have had active user authorization sessions.
Refrain from creating user accounts with the same name as previously
deleted accounts.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchmongodb< 1:3.6.3-0ubuntu1.3UNKNOWN
ubuntu20.04noarchmongodb< 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2UNKNOWN
ubuntu14.04noarchmongodb< anyUNKNOWN
ubuntu16.04noarchmongodb< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	mongodb	< 1:3.6.3-0ubuntu1.3	UNKNOWN
ubuntu	20.04	noarch	mongodb	< 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2	UNKNOWN
ubuntu	14.04	noarch	mongodb	< any	UNKNOWN
ubuntu	16.04	noarch	mongodb	< any	UNKNOWN