Details
-
Bug
-
Resolution: Done
-
Major - P3
-
3.1.7
-
Fully Compatible
-
ALL
-
-
Security 15 (06/03/16), Security 2020-02-10, Security 2020-02-24
Description
The ScopePool identifies the scope it should acquire from its map by creating a key with the following structure:
<db><JSOperation>[\0<user>@<db>]
|
As '@' is a legal character in both <user> and <db>, it is possible to construct two users so as to cause a collision.
Attachments
Issue Links
- related to
-
SERVER-20365 "authentication failed, storedKey mismatch" on synthetic users and databases with '@'
-
- Closed
-
-
SERVER-20558 AuthorizationSession::getAuthenticatedUserNamesToken should produce opaque comparable objects
-
- Closed
-