Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Critical - P2
Fix Version/s: 2.1.1
Affects Version/s: 2.0.2
Component/s: Security
Labels:
- security

Backwards Compatibility:
Minor Change
Operating System:
ALL
Confidence Status:
None
Work Order:
0
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Original Title: system.users collection placement allows offline dictionary attack for read-only users

When using authentication with mongodb, users with read-write permissions have their password hashes stored in system.users. Read-only users can read these hashes. This permits read-only users to read the password hashes of read/write users and perform an offline dictionary attack in order to escalate their privileges.

is related to

SERVER-7604 On MongoS read-only users should be denied access to system.users collection

Closed

SERVER-9009 mongodump fails when run by a read-only user

Closed

TOOLS-134 Mongodump and mongoexport should skip collections they don't have read access to

Closed

related to

SERVER-6031 read only user can get write priority

Closed

Assignee:: Mathias Stearn
Reporter:: Nathaniel McCallum
Participants:: auto, Eliot Horowitz, Mathias Stearn, Nathaniel McCallum
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: Jan 16 2012 07:25:43 PM UTC
Updated:: Oct 30 2015 02:45:17 PM UTC
Resolved:: Mar 09 2012 12:51:44 AM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates