[SERVER-15293] Anonymous connections are allowed even when auth is enabled Created: 17/Sep/14  Updated: 10/Dec/14  Resolved: 17/Sep/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: James Cooke Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-12143 Make some unauthenticated commands re... Closed
Operating System: ALL
Participants:

 Description   

It is a big security risk to allow anonymous authentication against a mongo server. This allows an unauthorized user to gain attack vector information about the database.

All of the below commands can be run using an anonymous authentication:

db.serverBuildInfo()
db.version()
db.adminCommand({ping:1})
db.adminCommand({whatsmyuri:1})
db.adminCommand({features:1})



 Comments   
Comment by J Rassi [ 17/Sep/14 ]

Hi James,

I'm resolving this issue as a dup of SERVER-12143. Please add yourself as a watcher to that ticket.

Noting from the description of that ticket that the "ping" command is destined to be kept available on unauthenticated connections, please feel free to leave a comment on SERVER-12143 describing why you believe this decision to be an error.

~ Jason Rassi

Generated at Thu Feb 08 03:37:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.