[SERVER-15293] Anonymous connections are allowed even when auth is enabled Created: 17/Sep/14 Updated: 10/Dec/14 Resolved: 17/Sep/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | James Cooke | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Participants: | |||||||||
| Description |
|
It is a big security risk to allow anonymous authentication against a mongo server. This allows an unauthorized user to gain attack vector information about the database. All of the below commands can be run using an anonymous authentication:
|
| Comments |
| Comment by J Rassi [ 17/Sep/14 ] |
|
Hi James, I'm resolving this issue as a dup of Noting from the description of that ticket that the "ping" command is destined to be kept available on unauthenticated connections, please feel free to leave a comment on ~ Jason Rassi |