Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4692

Read-only users should be denied access to system.users collection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: 2.0.2
    • Fix Version/s: 2.1.1
    • Component/s: Security
    • Labels:
    • Backwards Compatibility:
      Minor Change
    • Operating System:
      ALL

      Description

      Original Title: system.users collection placement allows offline dictionary attack for read-only users

      When using authentication with mongodb, users with read-write permissions have their password hashes stored in system.users. Read-only users can read these hashes. This permits read-only users to read the password hashes of read/write users and perform an offline dictionary attack in order to escalate their privileges.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: