[SERVER-38984] Attach IDs to users - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.4.22, 3.6.13, 4.0.9, 4.1.9
Component/s: Internal Code, Security
Labels:
None

Backwards Compatibility:
Major Change
Backport Requested:

v4.0, v3.6, v3.4
Sprint:
Security 2019-01-28, Security 2019-02-11, Security 2019-02-25
Case:

Description

CVE-2019-2386

Description
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

Workarounds
After deleting one or more users, restart any nodes which may have had active user authorization sessions.

Refrain from creating user accounts with the same name as previously deleted accounts.

Credit
Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group.

Attachments

Issue Links

is documented by

DOCS-12482 Docs for SERVER-38984: Attach IDs to users

Closed

Activity

People

Assignee:: Sara Golemon

Reporter:: Spencer Jackson

Participants:: Githook User, Sara Golemon, Spencer Jackson

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: Jan 14 2019 04:06:06 PM UTC

Updated:: Aug 08 2022 04:08:55 PM UTC

Resolved:: Feb 14 2019 04:47:22 PM UTC