Read-only users should be denied access to system.users collection

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Critical - P2
    • 2.1.1
    • Affects Version/s: 2.0.2
    • Component/s: Security
    • Minor Change
    • ALL
    • None
    • 0
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Original Title: system.users collection placement allows offline dictionary attack for read-only users

      When using authentication with mongodb, users with read-write permissions have their password hashes stored in system.users. Read-only users can read these hashes. This permits read-only users to read the password hashes of read/write users and perform an offline dictionary attack in order to escalate their privileges.

              Assignee:
              Mathias Stearn
              Reporter:
              Nathaniel McCallum
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: