CVE-2019-2388 - Vulnerability Details - OpenCVE

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mongodb	Ops Manager

Configuration 1 [-]

OR	cpe:2.3:a:mongodb:ops_manager:4.0.9:::::::*
	cpe:2.3:a:mongodb:ops_manager:4.0.10:::::::*
	cpe:2.3:a:mongodb:ops_manager:4.1.5:::::::*

No data.

References

Link	Providers
https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11

History

No history.

MITRE

Status: PUBLISHED

Assigner: mongodb

Published: 2020-05-13T16:15:13

Updated: 2024-08-04T18:49:46.370Z

Reserved: 2018-12-10T00:00:00

Link: CVE-2019-2388

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-13T17:15:11.717

Modified: 2024-11-21T04:40:46.460

Link: CVE-2019-2388

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Ops Manager", "vendor": "MongoDB Inc.", "versions": [{"status": "affected", "version": "4.0.9"}, {"status": "affected", "version": "4.0.10"}, {"status": "affected", "version": "4.1.5"}]}], "datePublic": "2020-05-13T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.</p>"}], "value": "In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-425", "description": "CWE-425 Direct Request (Forced Browsing)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T14:41:20.817Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"}], "source": {"defect": ["SECURITY-646"], "discovery": "INTERNAL"}, "title": "Potential exposure of log information in Ops Manager", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "ID": "CVE-2019-2388", "STATE": "PUBLIC", "TITLE": "Potential exposure of log information in Ops Manager"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ops Manager", "version": {"version_data": [{"version_affected": "=", "version_name": "4.0", "version_value": "4.0.9"}, {"version_affected": "=", "version_name": "4.0", "version_value": "4.0.10"}, {"version_affected": "=", "version_name": "4.1", "version_value": "4.1.5"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-425 Direct Request (Forced Browsing)"}]}]}, "references": {"reference_data": [{"name": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-0", "refsource": "MISC", "url": "https://docs.opsmanager.mongodb.com/current/release-notes/application/#onprem-server-4-0"}]}, "source": {"defect": ["SECURITY-646"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:49:46.370Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"}]}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2019-2388", "datePublished": "2020-05-13T16:15:13", "dateReserved": "2018-12-10T00:00:00", "dateUpdated": "2024-08-04T18:49:46.370Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:ops_manager:4.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "458AE1F2-E364-4394-82A7-3F036A3C3A82", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:ops_manager:4.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "D8062C0A-0378-4FA0-8A52-5617F05DE8B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:ops_manager:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "5CC37C73-568B-4A72-86E1-3C1891A0B9C7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.\n\n"}, {"lang": "es", "value": "En las versiones de Ops Manager afectadas, existe una ruta http expuesta que puede permitir a los atacantes visualizar un registro de acceso espec\u00edfico de una instancia de Ops Manager expuesta p\u00fablicamente. Este problema afecta: MongoDB Inc. MongoDB Ops Manager 4.0 versiones 4.0.9, 4.0.10 y MongoDB Ops Manager 4.1 versi\u00f3n 4.1.5."}], "id": "CVE-2019-2388", "lastModified": "2024-11-21T04:40:46.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@mongodb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-13T17:15:11.717", "references": [{"source": "cna@mongodb.com", "url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-4.0.11"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "cna@mongodb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-425"}], "source": "nvd@nist.gov", "type": "Primary"}]}