CVE-2019-2390Code Injection in INC Mongodb Server

CWE-94Code Injection3 documents3 sources
Severity
7.8HIGHNVD
CNA8.2
EPSS
0.4%
top 40.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedAug 30
Latest updateMay 24

Description

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server4.04.0.11+2
NVDmongodb/mongodb3.4.03.4.22+2

🔴Vulnerability Details

2
GHSA
GHSA-59q4-q97g-jqjq: An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipp2022-05-24
CVEList
Code execution on Windows via OpenSSL engine injection2019-08-30
CVE-2019-2390 — Code Injection in INC Mongodb Server | cvebase