Description

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.

Remediation

References

CVE-2019-2390

Related Vulnerabilities

WordPress Plugin Monsters Editor for WP Super Edit Arbitrary File Upload (1.1)

WordPress Plugin WP Online Store Local File Include and Multiple File Disclosure Vulnerabilities (1.3.1)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20352)

Jenkins Improper Input Validation Vulnerability (CVE-2017-1000394)

MySQL CVE-2021-2278 Vulnerability (CVE-2021-2278)

Severity

High

Classification

CVE-2019-2390 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities