CVE-2019-2386
HIGHMongoDB Server <4.0.9, <3.6.13, <3.4.22 - Info Disclosure
Title source: llmDescription
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://jira.mongodb.org/browse/SERVER-38984
Exploit, Third Party Advisory x_refsource_misc
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829
Scores
CVSS v3
7.1
EPSS
0.0123
EPSS Percentile
64.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-613
CWE-285
Status
published
Products (1)
mongodb/mongodb
3.4.0 - 3.4.22
Published
Aug 06, 2019
Tracked Since
Feb 18, 2026