UBUNTU-CVE-2019-2386
- Source
- https://ubuntu.com/security/CVE-2019-2386
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-2386.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2019-2386
- Upstream
- Downstream
- Related
- Published
- 2019-08-06T19:15:00Z
- Modified
- 2026-01-30T01:46:05.321724Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Ubuntu - low
- Summary
- [none]
- Details
-
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.
- References
Affected packages
Ubuntu:14.04:LTS / mongodb
Package
- Name
- mongodb
- Purl
- pkg:deb/ubuntu/mongodb@1:2.4.9-1ubuntu2?arch=source&distro=trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1:2.*
1:2.4.6-0ubuntu5
1:2.4.6-0ubuntu6
1:2.4.8-1ubuntu1
1:2.4.8-2
1:2.4.9-1
1:2.4.9-1ubuntu1
1:2.4.9-1ubuntu2
Ecosystem specific
{
"binaries": [
{
"binary_version": "1:2.4.9-1ubuntu2",
"binary_name": "mongodb"
},
{
"binary_version": "1:2.4.9-1ubuntu2",
"binary_name": "mongodb-clients"
},
{
"binary_version": "1:2.4.9-1ubuntu2",
"binary_name": "mongodb-dev"
},
{
"binary_version": "1:2.4.9-1ubuntu2",
"binary_name": "mongodb-server"
}
]
}
Ubuntu:16.04:LTS / mongodb
Package
- Name
- mongodb
- Purl
- pkg:deb/ubuntu/mongodb@1:2.6.10-0ubuntu1?arch=source&distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:18.04:LTS / mongodb
Package
- Name
- mongodb
- Purl
- pkg:deb/ubuntu/mongodb@1:3.6.3-0ubuntu1.3?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1:3.6.3-0ubuntu1.3
Affected versions
1:3.*
1:3.4.7-1
1:3.4.7-1ubuntu1
1:3.4.7-1ubuntu2
1:3.4.7-1ubuntu4
1:3.4.14-3ubuntu1
1:3.4.14-3ubuntu2
1:3.6.3-0ubuntu1
1:3.6.3-0ubuntu1.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "1:3.6.3-0ubuntu1.3",
"binary_name": "mongodb"
},
{
"binary_version": "1:3.6.3-0ubuntu1.3",
"binary_name": "mongodb-clients"
},
{
"binary_version": "1:3.6.3-0ubuntu1.3",
"binary_name": "mongodb-server"
},
{
"binary_version": "1:3.6.3-0ubuntu1.3",
"binary_name": "mongodb-server-core"
}
]
}
Ubuntu:20.04:LTS / mongodb
Package
- Name
- mongodb
- Purl
- pkg:deb/ubuntu/mongodb@1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2
Affected versions
1:3.*
1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu2
1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2",
"binary_name": "mongodb"
},
{
"binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2",
"binary_name": "mongodb-clients"
},
{
"binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2",
"binary_name": "mongodb-server"
},
{
"binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2",
"binary_name": "mongodb-server-core"
}
]
}