CVE-2019-2388 is a vulnerability in MongoDB Ops Manager
Published on May 13, 2020
Potential exposure of log information in Ops Manager
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.
Vulnerability Analysis
CVE-2019-2388 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is a forced browsing Vulnerability?
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
CVE-2019-2388 has been classified to as a forced browsing vulnerability or weakness.
Products Associated with CVE-2019-2388
Want to know whenever a new CVE is published for MongoDB Ops Manager? stack.watch will email you.
Affected Versions
MongoDB Inc. MongoDB Ops Manager:- Version 4.0.9 is affected.
- Version 4.0.10 is affected.
- Version 4.1.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.