CVE-2019-2386

Public Exploit

Authorization session conflation

Description

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.

Remediation

Workaround:

After deleting one or more users, restart any nodes which may have had active user authorization sessions.
Refrain from creating user accounts with the same name as previously deleted accounts.

References

Link	Tags
https://jira.mongodb.org/browse/SERVER-38984	vendor advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2019-2386?: CVE-2019-2386 has been scored as a high severity vulnerability.
How to fix CVE-2019-2386?: As a workaround for remediating CVE-2019-2386: After deleting one or more users, restart any nodes which may have had active user authorization sessions.
Is CVE-2019-2386 being actively exploited in the wild?: It is possible that CVE-2019-2386 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-2386?: CVE-2019-2386 affects MongoDB Inc. MongoDB Server.

Description

Remediation

Categories

CWE-285 – Improper Authorization

CWE-613 – Insufficient Session Expiration

References

Frequently Asked Questions