Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-2462

Unauthenticated LDAP user gaining db access

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 3.2.1
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      OSX 10.11.16, mongodb-driver (3.2.1), mongodb-driver-core (3.2.1), bson (3.2.1), java version "1.8.0_112", Java(TM) SE Runtime Environment (build 1.8.0_112-b16), Java HotSpot(TM) 64-Bit Server VM (build 25.112-b16, mixed mode)

      While testing a program that instantiates a MongoClient instance for the user a came across the following:

      1) the MongoClient does not perform any authentication when being created
      2) authentication occurs when a command is being executed on the MongoClient

      I want to check if provided credentials are valid before returning the MongoClient to the user, so I began testing to see what command would throw an exception if the credentials were incorrect.

      During one of my tests I observed the following:
      1) a MongoClient that was created with invalid credentials was capable of connecting to our db, listing out the collections, and listing out the documents within those collections.

      this MongoClient is being instantiated with a MongoClientURI which contains the username and password. The users are authenticated using LDAP.

            Assignee:
            Unassigned Unassigned
            Reporter:
            marnett Mitchell Arnett
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: