CVE-2019-2386
published 2019-08-06CVE-2019-2386: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become…
PriorityP433high7.1CVSS 3.1
AVNACHPRLUIRSUCHIHAH
EPSS
1.23%
65.1th percentile
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.
Workaround:
After deleting one or more users, restart any nodes which may have had active user authorization sessions.
Refrain from creating user accounts with the same name as previously deleted accounts.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 0 < 1:3.6.3-0ubuntu1.3 | 1:3.6.3-0ubuntu1.3 |
| mongodb | mongodb | >= 0 < 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2 | 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2 |
| mongodb | mongodb | >= 3.4.0 < 3.4.22 | 3.4.22 |
| mongodb | mongodb | >= 3.6.0 < 3.6.13 | 3.6.13 |
| mongodb | mongodb | >= 4.0.0 < 4.0.9 | 4.0.9 |
| mongodb_inc | mongodb_server | >= 3.4 < 3.4.22 | 3.4.22 |
| mongodb_inc | mongodb_server | >= 3.6 < 3.6.13 | 3.6.13 |
| mongodb_inc | mongodb_server | >= 4.0 < 4.0.9 | 4.0.9 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.1HIGH
vendor_redhat7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gqrr-9cvj-jrrq: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become
ghsa_unreviewed·2022-05-24
CVE-2019-2386 [MEDIUM] CWE-285 GHSA-gqrr-9cvj-jrrq: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.
OSV
CVE-2019-2386: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become
osv·2019-08-06·CVSS 7.1
CVE-2019-2386 [HIGH] CVE-2019-2386: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.
Ubuntu
MongoDB vulnerability
vendor_ubuntu·2021-08-26
CVE-2019-2386 MongoDB vulnerability
Title: MongoDB vulnerability
Summary: MongoDB could provide unintended access.
MongoDB would fail to properly invalidate existing sessions for deleted
users. This could allow a remote authenticated attacker to gain elevated
privileges if their user account was recreated with elevated privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
mongodb: Improper invalidation of authorization sessions for deleted users
vendor_redhat·2019-08-06·CVSS 7.1
CVE-2019-2386 [HIGH] CWE-613 mongodb: Improper invalidation of authorization sessions for deleted users
mongodb: Improper invalidation of authorization sessions for deleted users
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.
Workaround:
After deleting one or more users, restart any nodes which may have had active user authorization sessions.
Refrain from creating user accounts with the same name as previously deleted accounts.
A session expiration flaw was discovered in MongoDB. After a user is deleted, the session tokens for that user do not expire an
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users [epel-all]
bugzilla·2019-08-27·CVSS 7.1
CVE-2019-2386 [HIGH] CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users [epel-all]
CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
Bugzilla
CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users [fedora-29]
bugzilla·2019-08-27·CVSS 7.1
CVE-2019-2386 [HIGH] CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users [fedora-29]
CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following
Bugzilla
CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users
bugzilla·2019-08-27·CVSS 7.1
CVE-2019-2386 [HIGH] CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users
CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.
References:
https://exchange.xforce.ibmcloud.com/vulnerabilities/164984
Discussion:
Created mongodb tracking bugs for this issue:
Affects: epel-all [bug 1746133]
Affects: fedora-29 [bug 1746134]
---
External References:
https://jira.mongodb.org/browse/SERVER-38984
---
Mitigation:
This vulnerability can be mitigated by either o
2019-08-06
Published