FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name.

Affected packages
mongodb34 < 3.4.22
mongodb36 < 3.6.14
mongodb40 < 4.0.11

Details

VuXML ID 273c6c43-e3ad-11e9-8af7-08002720423d
Discovery 2019-08-06
Entry 2019-09-30

Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports:

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.

References

CVE Name CVE-2019-2389
URL https://jira.mongodb.org/browse/SERVER-40563