Candidate: CVE-2019-2389
PublicDate: 2019-08-30 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2389
 https://jira.mongodb.org/browse/SERVER-40563
Description:
 Incorrect scoping of kill operations in MongoDB Server's packaged SysV init
 scripts allow users with write access to the PID file to insert arbitrary
 PIDs to be killed when the root user stops the MongoDB process via SysV
 init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior
 to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.
Ubuntu-Description:
Notes:
 markmorlino> problem not present in LSB version of init script
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H [4.2 MEDIUM]


Patches_mongodb:
upstream_mongodb: needs-triage
precise/esm_mongodb: DNE
trusty_mongodb: ignored (out of standard support)
trusty/esm_mongodb: not-affected (code not present)
xenial_mongodb: not-affected (code not present)
bionic_mongodb: not-affected (code not present)
disco_mongodb: not-affected (code not present)
eoan_mongodb: not-affected (code not present)
devel_mongodb: not-affected (code not present)