[SERVER-24378] Authenticating against non-existent database with 2.4 style users should not create database in memory Created: 02/Jun/16 Updated: 07/Jun/17 Resolved: 02/Jun/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ramon Fernandez Marina | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | asp, asp-cve, asp-sdl-reported, asp-vuln-dos | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Description |
|
Issue Status as of Jun 02, 2016 ISSUE SUMMARY This bug has been assigned CVE-2016-3104. USER IMPACT AFFECTED VERSIONS
To find out if your deployment has 2.4-style users please see the documentation on auth schemas. Neither MongoDB 2.6 with 2.6-style users, nor MongoDB 3.0 and newer are affected by this issue. WORKAROUNDS AND REMEDIATION MongoDB 2.6 users affected by this issue should complete the 2.6 upgrade process and upgrade their authorization schema. For more information on remediation please see the Security Manual and the Security Checklist. |