CVE-2019-2390

Summary

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.

Affected Software

VendorProductVersion RangeStatus
MongoDB Inc.MongoDB Server4.0 < 4.0.11affected
MongoDB Inc.MongoDB Server3.6 < 3.6.14affected
MongoDB Inc.MongoDB Server3.4 < 3.4.22affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CVE Program Container

Additional References

References