[SERVER-50180] Fix User lifetime management in AuthorizationManager::acquireUserForSessionRefresh - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.6.20, 4.0.21
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v3.6
Sprint:
Security 2020-08-24
Linked BF Score:
15

Description

In 3.6 and 4.0, a User object may be leaked in AuthorizationManager::acquireUserForSessionRefresh if an error condition block is taken.

The User object's ref count must be decremented in this error block.

The affected code is only in 3.6 and 4.0. It was rewritten in 4.2.

Attachments

Activity

People

Assignee:: Mark Benvenuto

Reporter:: Mark Benvenuto

Participants:: Githook User, Mark Benvenuto

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: Aug 07 2020 03:12:59 PM UTC

Updated:: Aug 31 2020 10:07:17 PM UTC

Resolved:: Aug 17 2020 09:30:27 PM UTC