Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Duplicate
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:
None

Operating System:
ALL
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

It is a big security risk to allow anonymous authentication against a mongo server. This allows an unauthorized user to gain attack vector information about the database.

All of the below commands can be run using an anonymous authentication:

db.serverBuildInfo()
db.version()
db.adminCommand({ping:1})
db.adminCommand({whatsmyuri:1})
db.adminCommand({features:1})

duplicates

SERVER-12143 Make some unauthenticated commands require auth

Closed

Assignee:: Unassigned
Reporter:: James Cooke
Participants:: James Cooke, J Rassi
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Sep 17 2014 07:38:58 PM UTC
Updated:: Dec 10 2014 11:05:10 PM UTC
Resolved:: Sep 17 2014 08:47:24 PM UTC

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates