-
Type: Bug
-
Resolution: Works as Designed
-
Priority: Major - P3
-
None
-
Affects Version/s: 4.4.8
-
Component/s: None
-
Labels:
-
ALL
-
-
Execution Team 2021-10-04
As per MongoDB Docs ObjectId consists of the following,
- a 4-byte timestamp value, representing the ObjectId's creation, measured in seconds since the Unix epoch
- a 5-byte random value
- a 3-byte incrementing counter, initialized to a random value
I observed in production that ObjectIds which are being generated are following a sequential pattern that is easy to guess or predict and is a security threat in terms of data security.
As per my investigation, MongoDB ObjectId is not honoring point 2 mentioned in documentation as highlighted in red.
- is related to
-
DOCS-14824 Clarify that the random part of ObjectId is generated once at startup
- Closed