Main Vulnerability Database Vulnerabilities #VU21321

Permissions, Privileges, and Access Controls in MongoDB - CVE-2019-2389

Published: September 24, 2019

Vulnerability identifier: #VU21321

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-2389

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: MongoDB, Inc.

Affected software:
MongoDB

Detailed vulnerability description

The vulnerability allows a local user to kill arbitrary process on the system.

The vulnerability exists due to insufficient validation of data present in the PID file. A local user with write access to MongoDB PID file can insert arbitrary PIDs into it and kill arbitrary process on the system with root privileges, once MongoDB process is topped via SysV init.

How to mitigate CVE-2019-2389

Install updates from vendor's website.

Sources

https://jira.mongodb.org/browse/SERVER-40563

Permissions, Privileges, and Access Controls in MongoDB - CVE-2019-2389

Detailed vulnerability description

How to mitigate CVE-2019-2389

Sources

Please verify you're human