CVE-2019-2390 HIGH

CVE-2019-2390: Code execution on Windows via OpenSSL engine injection

Vendor Mongodb Inc.
Product MongoDB Server
Weakness CWE-94 · Code injection
Published August 30, 2019
Last update August 4, 2024

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.

Key dates

02Disclosure timeline

August 30, 2019 CVE published
August 4, 2024 Record updated