Vulnerability Description
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mongodb | Mongodb | >= 3.4.0, < 3.4.22 |
Related Weaknesses (CWE)
References
- https://jira.mongodb.org/browse/SERVER-38984Vendor Advisory
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829ExploitThird Party Advisory
- https://jira.mongodb.org/browse/SERVER-38984Vendor Advisory
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829ExploitThird Party Advisory
FAQ
What is CVE-2019-2386?
CVE-2019-2386 is a vulnerability with a CVSS score of 7.1 (HIGH). After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts re...
How severe is CVE-2019-2386?
CVE-2019-2386 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-2386?
Check the references section above for vendor advisories and patch information. Affected products include: Mongodb Mongodb.