CVE-2019-2386 - OpenCVE

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mongodb	Mongodb

Configuration 1 [-]

OR	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::

References

Link	Resource
https://jira.mongodb.org/browse/SERVER-38984	Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mongodb

Published: 2019-08-06T18:32:07

Updated: 2024-01-23T14:35:15.967Z

Reserved: 2018-12-10T00:00:00

Link: CVE-2019-2386

JSON object: View

NVD Information

Status : Modified

Published: 2019-08-06T19:15:13.613

Modified: 2024-01-23T15:15:10.990

Link: CVE-2019-2386

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB Inc.", "versions": [{"lessThan": "4.0.9", "status": "affected", "version": "4.0", "versionType": "custom"}, {"lessThan": "3.6.13", "status": "affected", "version": "3.6", "versionType": "custom"}, {"lessThan": "3.4.22", "status": "affected", "version": "3.4", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group."}], "datePublic": "2019-08-06T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.</p>Workaround: <br><p>After deleting one or more users, restart any nodes which may have had active user authorization sessions.</p><p>Refrain from creating user accounts with the same name as previously deleted accounts.</p>"}], "value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T14:35:15.967Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"tags": ["x_refsource_MISC"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}], "source": {"defect": ["SECURITY-556"], "discovery": "EXTERNAL"}, "title": "Authorization session conflation", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>After deleting one or more users, restart any nodes which may have had active user authorization sessions.</p>"}], "value": "After deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\n"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Refrain from creating user accounts with the same name as previously deleted accounts.</p>"}], "value": "Refrain from creating user accounts with the same name as previously deleted accounts.\n\n"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "ID": "CVE-2019-2386", "STATE": "PUBLIC", "TITLE": "Authorization session conflation"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Server", "version": {"version_data": [{"version_affected": "<", "version_name": "4.0", "version_value": "4.0.9"}, {"version_affected": "<", "version_name": "3.6", "version_value": "3.6.13"}, {"version_affected": "<", "version_name": "3.4", "version_value": "3.4.22"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "credit": [{"lang": "eng", "value": "Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/SERVER-38984", "refsource": "CONFIRM", "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829", "refsource": "MISC", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}]}, "source": {"defect": ["SECURITY-556"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "After deleting one or more users, restart any nodes which may have had active user authorization sessions."}, {"lang": "en", "value": "Refrain from creating user accounts with the same name as previously deleted accounts."}]}}}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2019-2386", "datePublished": "2019-08-06T18:32:07", "dateReserved": "2018-12-10T00:00:00", "dateUpdated": "2024-01-23T14:35:15.967Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "56AB583F-49FA-4EBD-A1CD-EB9A0853F8F8", "versionEndExcluding": "3.4.22", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E74086E-F8F7-438B-8E70-CDF068C7AEE5", "versionEndExcluding": "3.6.13", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5544C87-6AF1-43C2-A05E-7D714322D4DB", "versionEndExcluding": "4.0.9", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts.\n\n"}, {"lang": "es", "value": "Despu\u00e9s de la eliminaci\u00f3n del usuario en MongoDB Server, la incomprobaci\u00f3n incorrecta de las sesiones de autorizaci\u00f3n permite que la sesi\u00f3n de usuario autenticada persista y venga combinada con cuentas nuevas, si esas cuentas reutilizan los nombres de las eliminadas. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.0 anteriores a 4.0.9; versiones v3.6 anteriores a 3.6.13; versiones v3.4 anteriores a 3.4.22."}], "id": "CVE-2019-2386", "lastModified": "2024-01-23T15:15:10.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2019-08-06T19:15:13.613", "references": [{"source": "cna@mongodb.com", "tags": ["Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"source": "cna@mongodb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "cna@mongodb.com", "type": "Secondary"}]}