[SERVER-15293] Anonymous connections are allowed even when auth is enabled - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
None

Operating System:
ALL

Description

It is a big security risk to allow anonymous authentication against a mongo server. This allows an unauthorized user to gain attack vector information about the database.

All of the below commands can be run using an anonymous authentication:

db.serverBuildInfo()

db.version()

db.adminCommand({ping:1})

db.adminCommand({whatsmyuri:1})

db.adminCommand({features:1})

Attachments

Issue Links

duplicates

SERVER-12143 Make some unauthenticated commands require auth

Closed

Activity

People

Assignee:: Unassigned

Reporter:: James Cooke

Participants:: James Cooke, J Rassi

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: Sep 17 2014 07:38:58 PM UTC

Updated:: Dec 10 2014 11:05:10 PM UTC

Resolved:: Sep 17 2014 08:47:24 PM UTC