nvd-json-data-feeds/CVE-2019/CVE-2019-23xx/CVE-2019-2386.json

{
  "id": "CVE-2019-2386",
  "sourceIdentifier": "cna@mongodb.com",
  "published": "2019-08-06T19:15:13.613",
  "lastModified": "2020-10-16T14:35:30.897",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22."
    },
    {
      "lang": "es",
      "value": "Despu\u00e9s de la eliminaci\u00f3n del usuario en MongoDB Server, la incomprobaci\u00f3n incorrecta de las sesiones de autorizaci\u00f3n permite que la sesi\u00f3n de usuario autenticada persista y venga combinada con cuentas nuevas, si esas cuentas reutilizan los nombres de las eliminadas. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.0 anteriores a 4.0.9; versiones v3.6 anteriores a 3.6.13; versiones v3.4 anteriores a 3.4.22."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9
      },
      {
        "source": "cna@mongodb.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "SINGLE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 6.8,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ]
    },
    {
      "source": "cna@mongodb.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "3.4.0",
              "versionEndExcluding": "3.4.22",
              "matchCriteriaId": "56AB583F-49FA-4EBD-A1CD-EB9A0853F8F8"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "3.6.0",
              "versionEndExcluding": "3.6.13",
              "matchCriteriaId": "7E74086E-F8F7-438B-8E70-CDF068C7AEE5"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "4.0.0",
              "versionEndExcluding": "4.0.9",
              "matchCriteriaId": "B5544C87-6AF1-43C2-A05E-7D714322D4DB"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://jira.mongodb.org/browse/SERVER-38984",
      "source": "cna@mongodb.com",
      "tags": [
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829",
      "source": "cna@mongodb.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}