CVE-2019-2390
Code execution on Windows via OpenSSL engine injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.
Un usuario o programa sin privilegios en Microsoft Windows que puede crear archivos de configuración de OpenSSL en una ubicación fija puede hacer que los programas de utilidades enviados con el servidor de MongoDB ejecuten código definido por el atacante como el usuario que ejecuta la utilidad. Este problema afecta: MongoDB Inc. Servidor MongoDB versiones 4.0 anteriores a la versión 4.0.11; versiones 3.6 anteriores a la versión 3.6.14; versiones 3.4 anteriores a la versión 3.4.22.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-12-10 CVE Reserved
- 2019-08-30 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://jira.mongodb.org/browse/SERVER-42233 | 2024-01-23 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mongodb Search vendor "Mongodb" | Mongodb Search vendor "Mongodb" for product "Mongodb" | >= 3.4.0 < 3.4.22 Search vendor "Mongodb" for product "Mongodb" and version " >= 3.4.0 < 3.4.22" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
Mongodb Search vendor "Mongodb" | Mongodb Search vendor "Mongodb" for product "Mongodb" | >= 3.6.0 < 3.6.14 Search vendor "Mongodb" for product "Mongodb" and version " >= 3.6.0 < 3.6.14" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
Mongodb Search vendor "Mongodb" | Mongodb Search vendor "Mongodb" for product "Mongodb" | >= 4.0.0 < 4.0.11 Search vendor "Mongodb" for product "Mongodb" and version " >= 4.0.0 < 4.0.11" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|