Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17379

HTTP interface's localhost exception check is too permissive

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.0.1, 3.1.0
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Minor Change
    • ALL
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Issue Status as of Apr 30, 2015

      ISSUE SUMMARY
      The HTTP interface has a more permissive localhost exception policy than the database server.

      USER IMPACT
      The embedded web server that provides the HTTP interface may allow a user to connect via localhost even if users are defined on the admin database and --auth is enabled. If no users are defined in the admin database, unauthenticated access via the HTTP interface from anywhere (not just localhost) is also possible.

      This is more permissive than the database server localhost exception policy.

      WORKAROUNDS
      As a work-around, follow our security best practices and disable the embedded web server.

      AFFECTED VERSIONS
      All previous versions of the HTTP interface are affected by this issue. The HTTP interface is disabled by default from 2.6.0 and onwards.

      FIX VERSION
      The fix is included in the 3.0.1 production release.

            Assignee:
            spencer@mongodb.com Spencer Brody (Inactive)
            Reporter:
            spencer@mongodb.com Spencer Brody (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: