{"id":"CVE-2019-2390","details":"An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.","modified":"2026-04-11T09:39:58.209186Z","published":"2019-08-30T15:15:11.050Z","references":[{"type":"REPORT","url":"https://jira.mongodb.org/browse/SERVER-42233"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"f4240c60f005be757399042dc12f6addbc3170c1"},{"fixed":"aa313e18da568c4afd120f99e56d2da7d7fcdd58"},{"introduced":"a57d8e71e6998a2d0afde7edc11bd23e5661c915"},{"fixed":"cbef87692475857c7ee6e764c8f5104b39c342a1"},{"introduced":"3b07af3d4f471ae89e8186d33bbb1d5259597d51"},{"fixed":"417d1a712e9f040d54beca8e4943edce218e9a8c"}],"database_specific":{"versions":[{"introduced":"3.4.0"},{"fixed":"3.4.22"},{"introduced":"3.6.0"},{"fixed":"3.6.14"},{"introduced":"4.0.0"},{"fixed":"4.0.11"}]}}],"versions":["r3.4.0","r3.4.1","r3.4.1-rc0","r3.4.10","r3.4.10-rc0","r3.4.11","r3.4.11-rc0","r3.4.12","r3.4.12-rc0","r3.4.13","r3.4.14","r3.4.14-rc0","r3.4.15","r3.4.15-rc0","r3.4.16","r3.4.16-rc0","r3.4.17","r3.4.17-rc0","r3.4.18","r3.4.18-rc0","r3.4.19","r3.4.19-rc0","r3.4.2","r3.4.2-rc0","r3.4.20","r3.4.20-rc0","r3.4.21","r3.4.21-rc0","r3.4.3","r3.4.3-rc0","r3.4.3-rc1","r3.4.3-rc2","r3.4.4","r3.4.4-rc0","r3.4.5","r3.4.5-rc0","r3.4.5-rc1","r3.4.5-rc2","r3.4.5-rc3","r3.4.5-rc4","r3.4.6","r3.4.6-rc0","r3.4.7","r3.4.7-rc0","r3.4.8","r3.4.8-rc0","r3.4.8-rc1","r3.4.9","r3.4.9-rc0","r3.6.0","r3.6.1","r3.6.1-rc0","r3.6.1-rc1","r3.6.10","r3.6.10-rc0","r3.6.10-rc1","r3.6.11","r3.6.11-rc0","r3.6.11-rc1","r3.6.11-rc2","r3.6.12","r3.6.12-rc0","r3.6.12-rc1","r3.6.13","r3.6.13-rc0","r3.6.13-rc1","r3.6.2","r3.6.2-rc0","r3.6.3","r3.6.3-rc0","r3.6.3-rc1","r3.6.4","r3.6.4-rc0","r3.6.5","r3.6.5-rc0","r3.6.6","r3.6.6-rc0","r3.6.7","r3.6.7-rc0","r3.6.7-rc1","r3.6.8","r3.6.8-rc0","r3.6.8-rc1","r3.6.9","r3.6.9-rc0","r4.0.0","r4.0.1","r4.0.1-rc0","r4.0.1-rc1","r4.0.10","r4.0.10-rc0","r4.0.10-rc1","r4.0.2","r4.0.2-rc0","r4.0.3","r4.0.3-rc0","r4.0.4","r4.0.4-rc0","r4.0.4-rc1","r4.0.4-rc2","r4.0.5","r4.0.5-rc0","r4.0.5-rc1","r4.0.6","r4.0.6-rc0","r4.0.6-rc1","r4.0.7","r4.0.7-rc0","r4.0.7-rc1","r4.0.8","r4.0.8-rc0","r4.0.9","r4.0.9-rc0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"id":"CVE-2019-2390-1004a8a5","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":185,"function_hash":"61937275010239874520346460970434129605"},"signature_version":"v1","signature_type":"Function","target":{"function":"PrefixedWiredTigerHarnessHelper","file":"src/mongo/db/storage/wiredtiger/wiredtiger_prefixed_record_store_test.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-165fe0ca","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["26924533998250295673333829225315630128","294899704879593401439585358118034280990","26357773772601915398355273809563082302","36369067754841074126793706567586669838","225550587569448489494364761297828183055","184916337596216413079806980835012912337","16005808298556303105539870910980885256","326038935544088786231599736129175357720"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-179f8cf0","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":344,"function_hash":"325171484802284865273453348753238264298"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerMaxCacheOverflowSizeGBParameter::set","file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-36cf247e","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":227,"function_hash":"309332410048955961199855927604179246637"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerMaxCacheOverflowSizeGBParameter::setFromString","file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-3701e914","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["119176211318513759457844762229488862186","167630980375341147577685041171477178061","266221775816474542517747749908203203554","252740435069336828427599965994332911777","34170612815814906186014929515622184303","154909303271626918978999181290938289801","102675205115642847258618782620220392118","325729426310994268381941079181615944420","100465731876937299083359946438274196783","300473430996537526249928299169702568700"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.h"}},{"deprecated":false,"id":"CVE-2019-2390-381ecc81","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":2737,"function_hash":"310243720815985714085396491279593335487"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerGlobalOptions::add","file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-3c2aba45","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["30969995706530208292417370433137582735","105624916076702668899293221139826753110","56377987737233038861690160489650955041","73725080892737409834804641603694074220","150348727581228710305049518861175884150","39392279374615221727101818932570257051","201296950247145913443590097656513358759","82782133590990389918334036292114069028","157729681886114202603114720506163836684","160551174030878405624478857064229772352","331158377951408687509433662341905408405","51128529274861169141063678668910027975","121428755211155561856683898612553980150","226295630971602917343392581547637419580","129993985236784239072741057800362497048","304788163467689446172424281842012883496","246122163920337456879294485748529833599","285879399499901161531209722608203762736","222354329717803450231735411731079875691","247835820645485198377467740988288328882","252566574113722857285232769128018684754","240776436868747816146082863967914811841","226341577968340403871572689970775288834","10681113961972605544187250185057543165","257432588444015083152414373172770725006","326345361037183589399368457819263151508","66433296482673760471420999115173452239","211403969985756980011869524380187725542","274920676961907635885142645811966643878","251279263110983465188537294025094558157","319133431755246212904104648430357583259","161707480851793673885886921342234773239","99301979971449527530495239030045619190","335528643977694596701889744457068632387","230487826986028092490761374767423268535","314891936430974586483051678623577449306","297297958185920560167079216389589866762","114965207342299961214228737732958698401","55207135636688483190530320739297226244","21528257321318194216502391937275486727","115665172727257208757293414161595975045","13382026041774216538777351346393308196","287288054846634883781542376193159825704","265442971244778847045764979711049865644","232373189888151771506092928520156279815","133757880430566243919717566544950500686","202353487195555505160461277194390641235","132554045127168992527609549912891510684","61686435888145368272611071041676773952","24633966662715656627286301798489406347","160394265571953931634857685371973915636","209282261313109613235284970878587356604","247100560728459991276497940144023503380","248244637521409413944083034815527995570","57807352491155151291238543027247327372"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-43431342","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":258,"function_hash":"32490590650425592794225243327840925787"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerMaxCacheOverflowSizeGBParameter::WiredTigerMaxCacheOverflowSizeGBParameter","file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-69670a67","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["335512549459391923139916337036348929547","26924533998250295673333829225315630128","294899704879593401439585358118034280990","26357773772601915398355273809563082302","36369067754841074126793706567586669838"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.h"}},{"deprecated":false,"id":"CVE-2019-2390-6fe25f99","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["138959281141294517281112006986386172524","58597587078759479769995464041558602345","154358495532815636517084075138668999113","102943481187578979618909960532568834843","165785192819830749444746111706803194483","18973782206086067397971193736271721203","3617982624798390393119596822693088149","270090421094939727893079222112675877089","28568461906609888853187260752884227883","80291531406500729640250683561383541915","6105029301158106519064548271867776658","223760593813976214606526022960553803428","321469164760366099906806400015892163753","175910447252115462066765619638094160235","135201260266502720881778557412003622294","9268272434792024952683112093726320735","102943481187578979618909960532568834843","165785192819830749444746111706803194483","18973782206086067397971193736271721203","3617982624798390393119596822693088149","270090421094939727893079222112675877089","28568461906609888853187260752884227883","80291531406500729640250683561383541915","3840225334900641061231296018747073664","156901327248016343810471341227556685451","97841995662293048910335699460096735473"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine_test.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-7452db60","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["18973782206086067397971193736271721203","3617982624798390393119596822693088149","270090421094939727893079222112675877089","28568461906609888853187260752884227883"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_prefixed_record_store_test.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-7952c05c","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["38079101604146539534475791259808892208","156414038250564622134750294707557772105","209586999999009640223531670584778675334","268342650047195845365776823454810479703","258852578411061926793537845349034731394","277736225196093030394296124676928018591","139444987617341794487780126264823500682","97217929470521567532498788635832656472","121760658055090446392678317161090746511","183867666675416423631459167770340332507","114574059631507776817150089223951885534","62416750766851205629200977621708402734"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.h"}},{"deprecated":false,"id":"CVE-2019-2390-8264ec95","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":151,"function_hash":"249220919466888254283357919104976399644"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerMaxCacheOverflowSizeGBParameter::append","file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-928609e9","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":268,"function_hash":"92208364558702838890526700109616659378"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerGlobalOptions::validateMaxCacheOverflowFileSizeGB","file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-96fa9cdc","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":3508,"function_hash":"242134494251850389799080679595484001934"},"signature_version":"v1","signature_type":"Function","target":{"function":"_readOnly","file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-9e071f18","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["30888742784525923677032317438933729509","25405049016967465495261459088961942664","108430275857439391778589646845731983939","307672897278097863661314783820597410391","219733424293973400719052234968305455515","34977716437213413511171953821010319491","165074186159423819645958630099807510565","270090421094939727893079222112675877089","28568461906609888853187260752884227883"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_standard_record_store_test.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-b187b8f3","source":"https://github.com/mongodb/mongo/commit/417d1a712e9f040d54beca8e4943edce218e9a8c","digest":{"length":895,"function_hash":"35307776376996613208368469558635971073"},"signature_version":"v1","signature_type":"Function","target":{"function":"DocumentSourceShardCheckResumability::_assertOplogHasEnoughHistory","file":"src/mongo/db/pipeline/document_source_check_resume_token.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-b778bd51","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":180,"function_hash":"274544291887184650944379800949513136762"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerHarnessHelper","file":"src/mongo/db/storage/wiredtiger/wiredtiger_standard_record_store_test.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-ba670f3c","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["91055314593907758271581520916453233680","69400580127759428293100331030847686907","256253163489559536001890817179531253844","137484809639274624976462202084884865646","233354996002248994450811375019147216323","258560203673605396740210605139344302807","54712246082298648203107621335577855907","307800904484997096095719776127038579942","159379588331433999658642045305663683912","211727524224697119923606680857150769270","299483806370551535968508365956098446113","184933021766032046548868111426018119394","132494938563420263558657496031317238214","130893228505174576518198507217545198033","36732628835641092091783593094588260647","302031127111674900801362298521290365369","325480683017264320592302757544935470973","310328171411664039637669939519276160911","289145486250788516172093096461273047190","247628585208552138283206163555744516226","275239051466826275838393063692162946911","116376548743812900160537143042703123333","164486772153034520323226745742441309616","231968355649365043963983912752363832370","28691374122779552764930573739778662067","313700992358019747518429419886219112495","6925097916025524535816698214533196704","138443932340902702553947339465643158830","123693749380266184400512628193717955217","201296950247145913443590097656513358759","240540075116756743683504300481548049571","219805016373895661448378403625159538458","261259081224229000059884329424767238589"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-c600da6e","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":150,"function_hash":"143366803366694879392082889439580295691"},"signature_version":"v1","signature_type":"Function","target":{"function":"WiredTigerHarnessHelper","file":"src/mongo/db/storage/wiredtiger/wiredtiger_standard_record_store_test.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-cc93de27","source":"https://github.com/mongodb/mongo/commit/417d1a712e9f040d54beca8e4943edce218e9a8c","digest":{"line_hashes":["167518918914435676432805940120156966027","42577576105718594824592868041131127864","107829062590286512630322418334734066893","186644252817815549788452966273155634714","291439647942718436018620155882826246988","281090238329328453523002326089518094339","65631583751481164351762673206004578000","163486395883504952904815116704679049829"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/pipeline/document_source_check_resume_token.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-e84c3412","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"length":841,"function_hash":"138037723103739348523518582486217007310"},"signature_version":"v1","signature_type":"Function","target":{"function":"applyMaxCacheOverflowSizeGBParameter","file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp"}},{"deprecated":false,"id":"CVE-2019-2390-f0fcb07e","source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1","digest":{"line_hashes":["310146580520897529091603236058383986180","26476647247392739107244283062333938336","217180637706954189957457456304674143214","279510519548242700659241329706964909462","253231997010576437043582193026841235754","296696087895443701251287168509298372741","304780267454053032676945273545924287518","211752499210942888831639801962537288876","259814991867545950990499811176724444412","63707461790820426546467420079989263614","39333271144929399137406733847507298179","283002936117167343425544759961897720372","242882990221318487199694784758875632881","85487768097559104067683138212628255793","200924419717922695762157848011487157106","221379262514070593589592254769107946975","78510497639385470143827694551492761088"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-2390.json","vanir_signatures_modified":"2026-04-11T09:39:58Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}