{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB Inc.", "versions": [{"lessThan": "4.0.9", "status": "affected", "version": "4.0", "versionType": "custom"}, {"lessThan": "3.6.13", "status": "affected", "version": "3.6", "versionType": "custom"}, {"lessThan": "3.4.22", "status": "affected", "version": "3.4", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group."}], "datePublic": "2019-08-06T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.</p>Workaround: <br><p>After deleting one or more users, restart any nodes which may have had active user authorization sessions.</p><p>Refrain from creating user accounts with the same name as previously deleted accounts.</p>"}], "value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T14:35:15.967Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"tags": ["x_refsource_MISC"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}], "source": {"defect": ["SECURITY-556"], "discovery": "EXTERNAL"}, "title": "Authorization session conflation", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>After deleting one or more users, restart any nodes which may have had active user authorization sessions.</p>"}], "value": "After deleting one or more users, restart any nodes which may have had active user authorization sessions."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Refrain from creating user accounts with the same name as previously deleted accounts.</p>"}], "value": "Refrain from creating user accounts with the same name as previously deleted accounts."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "ID": "CVE-2019-2386", "STATE": "PUBLIC", "TITLE": "Authorization session conflation"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Server", "version": {"version_data": [{"version_affected": "<", "version_name": "4.0", "version_value": "4.0.9"}, {"version_affected": "<", "version_name": "3.6", "version_value": "3.6.13"}, {"version_affected": "<", "version_name": "3.4", "version_value": "3.4.22"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "credit": [{"lang": "eng", "value": "Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/SERVER-38984", "refsource": "CONFIRM", "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829", "refsource": "MISC", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}]}, "source": {"defect": ["SECURITY-556"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "After deleting one or more users, restart any nodes which may have had active user authorization sessions."}, {"lang": "en", "value": "Refrain from creating user accounts with the same name as previously deleted accounts."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:49:46.349Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}]}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2019-2386", "datePublished": "2019-08-06T18:32:07.000Z", "dateReserved": "2018-12-10T00:00:00.000Z", "dateUpdated": "2024-08-04T18:49:46.349Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "56AB583F-49FA-4EBD-A1CD-EB9A0853F8F8", "versionEndExcluding": "3.4.22", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E74086E-F8F7-438B-8E70-CDF068C7AEE5", "versionEndExcluding": "3.6.13", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5544C87-6AF1-43C2-A05E-7D714322D4DB", "versionEndExcluding": "4.0.9", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts."}, {"lang": "es", "value": "Despu\u00e9s de la eliminaci\u00f3n del usuario en MongoDB Server, la incomprobaci\u00f3n incorrecta de las sesiones de autorizaci\u00f3n permite que la sesi\u00f3n de usuario autenticada persista y venga combinada con cuentas nuevas, si esas cuentas reutilizan los nombres de las eliminadas. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.0 anteriores a 4.0.9; versiones v3.6 anteriores a 3.6.13; versiones v3.4 anteriores a 3.4.22."}], "id": "CVE-2019-2386", "lastModified": "2026-02-23T16:20:41.457", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "cna@mongodb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-06T19:15:13.613", "references": [{"source": "cna@mongodb.com", "tags": ["Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"source": "cna@mongodb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-38984"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "cna@mongodb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mongodb: Improper invalidation of authorization sessions for deleted users", "id": "1746132", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1746132"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-613", "details": ["After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\nRefrain from creating user accounts with the same name as previously deleted accounts.", "A session expiration flaw was discovered in MongoDB. After a user is deleted, the session tokens for that user do not expire and can be reused if a new user is created with the same name. An attacker with access to a MongoDB user could exploit this flaw to gain access to the new user account."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be mitigated by either of two administrative practices:\n* Whenever a user is deleted, restart all nodes where that user may have an active session\n* When a user is deleted, ensure than a new user with the same name will never be created\nIf your mongodb instance is deployed in a situation where users never need to be deleted, or one of the above mitigations can be applied, this vulnerability can not be exploited."}, "name": "CVE-2019-2386", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "mongodb", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb34-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb36-mongodb", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "package_name": "mongodb", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2019-08-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-2386\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-2386\nhttps://jira.mongodb.org/browse/SERVER-38984"], "statement": "The supported versions of Red Hat Satellite do not ship the affected MongoDB and are only consumed through Red Hat Software Collections (RHSCL) repository. However, the product is not affected by the vulnerability because the usage of MongoDB does not add or delete users on a recurring basis.\nThis issue does affect the versions of MongoDB as shipped with Red Hat Update Infrastructure for Cloud Providers, but the service is only accessible by users who already have access to the Red Hat Update Appliance (RHUA).", "threat_severity": "Moderate"}