CVE-2019-2390 in MongoDB
Summary
by MITRE
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/23/2026
This vulnerability represents a critical privilege escalation flaw in MongoDB server versions prior to specific patch releases, where an unprivileged user can manipulate OpenSSL configuration files in fixed locations to execute arbitrary code with the privileges of the running utility process. The issue stems from MongoDB's reliance on utility programs that utilize OpenSSL configuration mechanisms, creating an attack surface where local file system manipulation can lead to arbitrary code execution. The vulnerability specifically affects MongoDB server versions 4.0.x before 4.0.11, 3.6.x before 3.6.14, and 3.4.x before 3.4.22, indicating a widespread impact across multiple major release lines.
The technical flaw manifests when MongoDB utility programs attempt to process OpenSSL configuration files located in predictable system paths, allowing malicious actors to place specially crafted configuration files that trigger unintended code execution. This represents a classic path traversal and configuration injection vulnerability where the utility programs fail to properly validate or sanitize the OpenSSL configuration file paths. The vulnerability is classified under CWE-22 Path Traversal and CWE-78 Command Injection, as it allows attackers to manipulate file paths and execute arbitrary commands through the OpenSSL configuration processing. The attack requires only local file system access to create or modify files in fixed locations, making it particularly dangerous in multi-tenant environments or when users have limited privileges.
The operational impact of this vulnerability is severe as it enables local privilege escalation attacks where an unprivileged user can execute code with the privileges of the MongoDB utility processes, potentially leading to full system compromise. Attackers can leverage this vulnerability to escalate privileges, gain persistence, or perform lateral movement within a network environment. The vulnerability is particularly concerning because it affects MongoDB server components that may run with elevated privileges, especially when running as a service or daemon. The issue creates a persistent attack vector that can be exploited repeatedly, as long as the attacker maintains access to the fixed file system locations where OpenSSL configuration files are processed.
Mitigation strategies should focus on immediate patching of affected MongoDB server versions to the specified secure releases, along with implementation of proper file system permissions and access controls. Organizations should ensure that fixed locations where OpenSSL configuration files are processed have restricted write permissions and that utility programs are configured to use secure, non-predictable file paths. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques, specifically T1068 Exploitation for Privilege Escalation, and T1059 Command and Scripting Interpreter, as attackers can leverage the vulnerability to execute commands with elevated privileges. Additional defensive measures include implementing file integrity monitoring, restricting local file system access for MongoDB processes, and conducting regular security assessments to identify and remediate similar configuration vulnerabilities in other software components.