Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 3.4.22, 3.6.13, 4.0.9, 4.1.9
Affects Version/s: None
Component/s: Internal Code, Security
Labels:
None

Backwards Compatibility:
Major Change
Backport Requested:

v4.0, v3.6, v3.4
Sprint:
Security 2019-01-28, Security 2019-02-11, Security 2019-02-25
Case:
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

CVE-2019-2386

Description
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

Workarounds
After deleting one or more users, restart any nodes which may have had active user authorization sessions.

Refrain from creating user accounts with the same name as previously deleted accounts.

Credit
Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group.

Assignee:: Sara Golemon (Inactive)

Reporter:: Spencer Jackson

Participants:: Githook User, Sara Golemon, Spencer Jackson

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: Jan 14 2019 04:06:06 PM UTC

Updated:: Oct 29 2023 10:25:09 PM UTC

Resolved:: Feb 14 2019 04:47:22 PM UTC

Confidence Status Last Update:: 18/Jan/19 7:51 PM

Details

Description

Attachments

Activity

People

Dates