CVE-2019-2386 Information
Feb 14, 2021
cve
Description
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user’s session to persist and become conflated with new accounts if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Reference
https://jira.mongodb.org/browse/SERVER-38984 https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction Required
LOW
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
7.1
Share on: