Bug 1147037 - (CVE-2019-2386) VUL-0: CVE-2019-2386: mongodb: improper invalidation of user sessions upon deleting a user account
(CVE-2019-2386)
VUL-0: CVE-2019-2386: mongodb: improper invalidation of user sessions upon de...
Status: RESOLVED WONTFIX
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Normal (vote)
: Current
Assigned To: Alberto Planas Dominguez
E-mail List
https://smash.suse.de/issue/239142/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-23 09:47 UTC by Alexandros Toptsoglou
Modified: 2019-10-23 12:03 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-08-23 09:47:26 UTC
CVE-2019-2386

After user deletion in MongoDB Server the improper invalidation of authorization
sessions allows an authenticated user's session to persist and become conflated
with new accounts, if those accounts reuse the names of deleted ones. This issue
affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions
prior to 3.6.13; v3.4 versions prior to 3.4.22.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2386
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-2386.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2386
https://jira.mongodb.org/browse/SERVER-38984
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829
Comment 2 Alexandros Toptsoglou 2019-08-27 12:34:45 UTC
Mongodb is used in such way where users are not supposed to be deleted. SUSE will not provide a fix for this issue since the risk to our customers posed by this is negligible.
Comment 3 Alexandros Toptsoglou 2019-08-27 12:36:07 UTC
assigning the bug to TW maintainer
Comment 4 Alberto Planas Dominguez 2019-10-23 12:03:58 UTC
Per sr#742116, mongodb will be dropped.