// For flags

CVE-2019-2390

Code execution on Windows via OpenSSL engine injection

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.

Un usuario o programa sin privilegios en Microsoft Windows que puede crear archivos de configuración de OpenSSL en una ubicación fija puede hacer que los programas de utilidades enviados con el servidor de MongoDB ejecuten código definido por el atacante como el usuario que ejecuta la utilidad. Este problema afecta: MongoDB Inc. Servidor MongoDB versiones 4.0 anteriores a la versión 4.0.11; versiones 3.6 anteriores a la versión 3.6.14; versiones 3.4 anteriores a la versión 3.4.22.

*Credits: Rich Mirch
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-12-10 CVE Reserved
  • 2019-08-30 CVE Published
  • 2023-03-07 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://jira.mongodb.org/browse/SERVER-42233 2024-01-23
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mongodb
Search vendor "Mongodb"
 Mongodb
Search vendor "Mongodb" for product "Mongodb"
 >= 3.4.0 < 3.4.22
Search vendor "Mongodb" for product "Mongodb" and version " >= 3.4.0 < 3.4.22"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Mongodb
Search vendor "Mongodb"
 Mongodb
Search vendor "Mongodb" for product "Mongodb"
 >= 3.6.0 < 3.6.14
Search vendor "Mongodb" for product "Mongodb" and version " >= 3.6.0 < 3.6.14"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Mongodb
Search vendor "Mongodb"
 Mongodb
Search vendor "Mongodb" for product "Mongodb"
 >= 4.0.0 < 4.0.11
Search vendor "Mongodb" for product "Mongodb" and version " >= 4.0.0 < 4.0.11"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe