[Security] Potential Write operations in Read Mode through aggregation pipeline stages

XMLWordPrintableJSON

    • Type: Story
    • Resolution: Fixed
    • Priority: Major - P3
    • 1.0.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Not Needed
    • Developer Tools

      Potential Write operations in Read Mode through aggregation pipeline stages In general aggregation pipeline is considered a readOnly operation, so it will be enabled in readOnly mode.
      However, it can contain data modification stages - $out, $merge.

      So even though the server is running in readOnly mode if MongoDB users have write privileges MCP Server client will be able to alter the data in the database. |Medium|Input Sanitization|Implement aggregation pipeline validation and prevent usage of $out and $merge stages in readOnly mode.

      Also prevent usage of the $out and $merge as part of ExportTool.| * Partially implemented

            Assignee:
            Nikola Irinchev
            Reporter:
            Bianca Lisle
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: