Bugzilla – Bug 1147037
VUL-0: CVE-2019-2386: mongodb: improper invalidation of user sessions upon deleting a user account
Last modified: 2019-10-23 12:03:58 UTC
CVE-2019-2386 After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2386 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2386.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2386 https://jira.mongodb.org/browse/SERVER-38984 https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829
Mongodb is used in such way where users are not supposed to be deleted. SUSE will not provide a fix for this issue since the risk to our customers posed by this is negligible.
assigning the bug to TW maintainer
Per sr#742116, mongodb will be dropped.