CVE-2019-2389
MEDIUMMongoDB Server <4.0.11, <3.6.14, <3.4.22 - Privilege Escalation
Title source: llmDescription
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.
References (1)
Core 1
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://jira.mongodb.org/browse/SERVER-40563
Scores
CVSS v3
5.3
EPSS
0.0012
EPSS Percentile
30.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H
Details
CWE
CWE-20
CWE-732
Status
published
Products (1)
mongodb/mongodb
3.4.0 - 3.4.22
Published
Aug 30, 2019
Tracked Since
Feb 18, 2026