Anonymous connections are allowed even when auth is enabled

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Duplicate
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • None
    • ALL
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      It is a big security risk to allow anonymous authentication against a mongo server. This allows an unauthorized user to gain attack vector information about the database.

      All of the below commands can be run using an anonymous authentication:

      db.serverBuildInfo()
      db.version()
      db.adminCommand({ping:1})
      db.adminCommand({whatsmyuri:1})
      db.adminCommand({features:1})
      

              Assignee:
              Unassigned
              Reporter:
              James Cooke
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: