FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mongodb -- Attach IDs to users

Affected packages
mongodb34 < 3.4.22
mongodb36 < 3.6.13
mongodb40 < 4.0.9

Details

VuXML ID 880bca8f-e201-11e9-8af7-08002720423d
Discovery 2019-08-06
Entry 2019-09-28

Mitch Wasson of Cisco's Advanced Malware Protection Group reports:

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.

References

CVE Name CVE-2019-2386
URL https://jira.mongodb.org/browse/SERVER-38984