CVE-2019-2389Incorrect Permission Assignment in INC Mongodb Server

CWE-732Incorrect Permission AssignmentCWE-20Improper Input Validation8 documents5 sources
Severity
4.2MEDIUMNVD
CNA5.3
EPSS
0.1%
top 68.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedAug 30
Latest updateMay 24

Description

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:HExploitability: 0.6 | Impact: 3.6

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server4.04.0.11+2
NVDmongodb/mongodb3.4.03.4.22+2

Patches

Patch: jira.mongodb.orgPatch: jira.mongodb.org

🔴Vulnerability Details

2
GHSA
GHSA-vjcf-4g29-6hfr: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary2022-05-24
CVEList
Process termination via PID file manipulation2019-08-30

📋Vendor Advisories

1
Red Hat
mongodb: Incorrect scoping in shipped sysV scripts allows arbitrary PID insertion to kill2019-08-30

💬Community

4
Bugzilla
CVE-2019-2389 mongodb: Incorrect scoping in shipped sysV scripts allows arbitrary PID insertion to kill2019-10-24
Bugzilla
CVE-2019-2389 mongodb: Incorrect scoping in shipped sysV scripts allows arbitrary PID insertion to kill [fedora-29]2019-10-24
Bugzilla
CVE-2019-2389 mongodb: Incorrect scoping in shipped sysV scripts allows arbitrary PID insertion to kill [epel-all]2019-10-24
Bugzilla
CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI2019-09-17
CVE-2019-2389 — Incorrect Permission Assignment | cvebase