[Bug 1934518] Re: improper invalidation of authorization sessions
Heather Lemon
1934518 at bugs.launchpad.net
Tue Aug 3 20:55:10 UTC 2021
** Patch removed: "CVE-2019-2386-bionic-20210702.debdiff"
https://bugs.launchpad.net/ubuntu/bionic/+source/mongodb/+bug/1934518/+attachment/5508664/+files/CVE-2019-2386-bionic-20210702.debdiff
** Patch removed: "CVE-2019-2386-bionic-20210706.debdiff"
https://bugs.launchpad.net/ubuntu/bionic/+source/mongodb/+bug/1934518/+attachment/5509448/+files/CVE-2019-2386-bionic-20210706.debdiff
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1934518
Title:
improper invalidation of authorization sessions
Status in mongodb source package in Trusty:
Confirmed
Status in mongodb source package in Bionic:
Confirmed
Status in mongodb source package in Focal:
Confirmed
Bug description:
CVE: https://ubuntu.com/security/CVE-2019-2386
After user deletion in MongoDB Server the improper invalidation of
authorization sessions allows an authenticated user’s session to
persist and become conflated with new accounts, if those accounts
reuse the names of deleted ones. This issue affects: MongoDB Inc.
MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to
3.6.13; v3.4 versions prior to 3.4.22.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/trusty/+source/mongodb/+bug/1934518/+subscriptions
More information about the Ubuntu-sponsors
mailing list