Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 3.4.22, 3.6.13, 4.0.9, 4.1.9
Affects Version/s: None
Component/s: Internal Code, Security
Labels:
None

Backwards Compatibility:
Major Change
Backport Requested:

v4.0, v3.6, v3.4
Sprint:
Security 2019-01-28, Security 2019-02-11, Security 2019-02-25
Case:
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

CVE-2019-2386

Description
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

Workarounds
After deleting one or more users, restart any nodes which may have had active user authorization sessions.

Refrain from creating user accounts with the same name as previously deleted accounts.

Credit
Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group.

Assignee:: Sara Golemon (Inactive)
Reporter:: Spencer Jackson
Participants:: Githook User, Sara Golemon, Spencer Jackson
Votes:: 0 Vote for this issue
Watchers:: 9 Start watching this issue

Created:: Jan 14 2019 04:06:06 PM UTC
Updated:: Oct 29 2023 10:25:09 PM UTC
Resolved:: Feb 14 2019 04:47:22 PM UTC
Confidence Status Last Update:: 18/Jan/19 7:51 PM

Details

Description

Attachments

Activity

People

Dates