First published: Fri Aug 30 2019(Updated: )
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.
Credit: cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
MongoDB MongoDB | >=3.4.0<3.4.22 | |
MongoDB MongoDB | >=3.6.0<3.6.14 | |
MongoDB MongoDB | >=4.0.0<4.0.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-2389 is a vulnerability in MongoDB Server's packaged SysV init scripts that allows users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.
MongoDB Server v3.4 to v4.0 versions (3.4.0 to 3.4.22, 3.6.0 to 3.6.14, 4.0.0 to 4.0.11) are affected by CVE-2019-2389.
CVE-2019-2389 has a severity rating of 4.2 (medium).
To fix CVE-2019-2389, it is recommended to update MongoDB Server to a version that is not affected by the vulnerability.
More information about CVE-2019-2389 can be found at https://jira.mongodb.org/browse/SERVER-40563.