Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-15293

Anonymous connections are allowed even when auth is enabled

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
      None
    • ALL

      It is a big security risk to allow anonymous authentication against a mongo server. This allows an unauthorized user to gain attack vector information about the database.

      All of the below commands can be run using an anonymous authentication:

      db.serverBuildInfo()
db.version()
db.adminCommand({ping:1})
db.adminCommand({whatsmyuri:1})
db.adminCommand({features:1})

            Assignee:
            Unassigned Unassigned
            Reporter:
            jtcooke James Cooke
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: