CVE-2019-2386— Mongodb MongoDB Server 代码问题漏洞

Authorization session conflation

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

授权机制不恰当

Mongodb MongoDB Server 代码问题漏洞

Mongodb Server是美国Mongodb公司的一套开源的NoSQL数据库。该数据库提供面向集合的存储、动态查询、数据复制及自动故障转移等功能。 MongoDB Server 4.0.9之前的版本、3.6.13之前的3.6版本和3.4.22之前的3.4版本存在代码问题漏洞，该漏洞源于程序没有正确地使授权会话失效。攻击者可利用该漏洞访问MongoDB数据库服务器。

N/A

N/A