Source: mongodb Version: 1:3.4.18-2 Severity: grave Tags: security upstream Forwarded: https://jira.mongodb.org/browse/SERVER-38984
Hi, The following vulnerability was published for mongodb. CVE-2019-2386[0]: | After user deletion in MongoDB Server the improper invalidation of | authorization sessions allows an authenticated user's session to | persist and become conflated with new accounts, if those accounts | reuse the names of deleted ones. This issue affects: MongoDB Inc. | MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to | 3.6.13; v3.4 versions prior to 3.4.22. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-2386 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2386 [1] https://jira.mongodb.org/browse/SERVER-38984 [2] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829 Regards, Salvatore