<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:49:38 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-60370] Change the name of collection will result in wrong authorization of database collection access.</title>
                <link>https://jira.mongodb.org/browse/SERVER-60370</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;I would like to report a security issue on mongoDB privilege and role management.&lt;br/&gt;
When the database administrator changes a collection&apos;s name, the role&apos;s privilege relevant to corresponding collection doesn&apos;t reflect the change and gives users ability to get the data from collections they are not supposed to read.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Company name: BEIJING DBSEC TECHNOLOGY CO., LTD.&lt;br/&gt;
Personal name: Eddie Zhu&lt;br/&gt;
Web site:&#160;&lt;a href=&quot;http://www.dbsec.cn/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;www.dbsec.cn&lt;/a&gt;&lt;/p&gt;</description>
                <environment>MongoDB server version: 5.0&lt;br/&gt;
CentOS Linux release 7.6.1810 (Core)</environment>
        <key id="1887404">SERVER-60370</key>
            <summary>Change the name of collection will result in wrong authorization of database collection access.</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13202">Works as Designed</resolution>
                                        <assignee username="edwin.zhou@mongodb.com">Edwin Zhou</assignee>
                                    <reporter username="zhuqiangtj@gmail.com">Zhu Eddie</reporter>
                        <labels>
                    </labels>
                <created>Thu, 30 Sep 2021 22:45:14 +0000</created>
                <updated>Fri, 27 Oct 2023 13:52:15 +0000</updated>
                            <resolved>Fri, 1 Oct 2021 16:15:05 +0000</resolved>
                                    <version>5.0.0</version>
                                                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="4116483" author="JIRAUSER1257066" created="Mon, 11 Oct 2021 18:26:18 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=zhuqiangtj%40gmail.com&quot; class=&quot;user-hover&quot; rel=&quot;zhuqiangtj@gmail.com&quot;&gt;zhuqiangtj@gmail.com&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;I appreciate your continued input regarding MongoDB&apos;s security. I understand you&apos;re concerned that renaming a collection may allow for unintended access from other users. &lt;/p&gt;

&lt;p&gt;However, there are no additional privileges gained due to renameCollection. A user that is authorized to renameCollection must have read privileges for the source collection and write privileges for the target collection. That is, any user that can rename a source to a target collection can already expose documents from the source collection to other users with read privileges on the target collection. For example, they may already expose documents on the source collection by copying them to the target collection.&lt;/p&gt;

&lt;p&gt;Best,&lt;br/&gt;
Edwin&lt;/p&gt;</comment>
                            <comment id="4114310" author="JIRAUSER1257262" created="Sat, 9 Oct 2021 02:53:27 +0000"  >&lt;p&gt;Hi Edwin,&lt;/p&gt;

&lt;p&gt;Mongodb allows users to rename a collection could affect the relavant collection authorization and access, does that sound logical?&lt;/p&gt;

&lt;p&gt;I don&apos;t think so.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Eddie Zhu&lt;/p&gt;</comment>
                            <comment id="4096881" author="JIRAUSER1257066" created="Fri, 1 Oct 2021 16:15:05 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=zhuqiangtj%40gmail.com&quot; class=&quot;user-hover&quot; rel=&quot;zhuqiangtj@gmail.com&quot;&gt;zhuqiangtj@gmail.com&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;Thanks for your report. We believe this works as designed because authorization is determined by the resource name, rather than the data in the resource. So if a user has read access to a namespace of database1.t1, and database1.t2 is renamed to database1.t1, then the user will be able to read the renamed collection that was formerly known as database1.t2.&lt;/p&gt;

&lt;p&gt;Best,&lt;br/&gt;
Edwin&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 1 Oct 2021 14:13:05 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        2 years, 17 weeks, 2 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            2 years, 17 weeks, 2 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>edwin.zhou@mongodb.com</customfieldvalue>
            <customfieldvalue>zhuqiangtj@gmail.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i03ujj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hznlyn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;As dbOwner of database1:&lt;/p&gt;

&lt;p&gt;1.&lt;br/&gt;
use database1&lt;br/&gt;
db.t1.insertMany([&lt;br/&gt;
&#160; &lt;/p&gt;
{ name: &apos;t1&apos;, email: &apos;[t1table@example.com|mailto:t1table@example.com]&apos; }
&lt;p&gt;,&lt;br/&gt;
&#160; &lt;/p&gt;
{ name: &apos;lexas&apos;, email: &apos;[lexas@example.com|mailto:lexas@example.com]&apos; }
&lt;p&gt;])&lt;/p&gt;

&lt;p&gt;db.t2.insertMany([&lt;br/&gt;
&#160; &lt;/p&gt;
{ name: &apos;t2&apos;, email: &apos;[t2table@example.com|mailto:t2table@example.com]&apos; }
&lt;p&gt;,&lt;br/&gt;
&#160; &lt;/p&gt;
{ name: &apos;linsay&apos;, email: &apos;[linsay@example.com|mailto:linsay@example.com]&apos; }
&lt;p&gt;])&lt;/p&gt;


&lt;p&gt;db.createRole(&lt;br/&gt;
&#160; &#160;{&lt;br/&gt;
&#160; &#160; &#160;role: &quot;t1Read&quot;,&lt;br/&gt;
&#160; &#160; &#160;privileges: [&lt;br/&gt;
&#160; &#160; &#160; &#160;&lt;/p&gt;
{
&#160; &#160; &#160; &#160; &#160;resource: \{ db: &quot;database1&quot;, collection: &quot;t1&quot; }
&lt;p&gt;, actions: [ &quot;find&quot;]&lt;br/&gt;
&#160; &#160; &#160; &#160;}&lt;br/&gt;
&#160; &#160; &#160;],&lt;br/&gt;
&#160; &#160; &#160;roles: []&lt;br/&gt;
&#160; &#160;}&lt;br/&gt;
)&lt;/p&gt;

&lt;p&gt;db.createRole(&lt;br/&gt;
&#160; &#160;{&lt;br/&gt;
&#160; &#160; &#160;role: &quot;t2Read&quot;,&lt;br/&gt;
&#160; &#160; &#160;privileges: [&lt;br/&gt;
&#160; &#160; &#160; &#160;&lt;/p&gt;
{
&#160; &#160; &#160; &#160; &#160;resource: \{ db: &quot;database1&quot;, collection: &quot;t2&quot; }
&lt;p&gt;, actions: [ &quot;find&quot;]&lt;br/&gt;
&#160; &#160; &#160; &#160;}&lt;br/&gt;
&#160; &#160; &#160;],&lt;br/&gt;
&#160; &#160; &#160;roles: []&lt;br/&gt;
&#160; &#160;}&lt;br/&gt;
)&lt;/p&gt;

&lt;p&gt;db.createUser(&lt;/p&gt;
{
&#160; &#160;user:&quot;usr1&quot;,
&#160; &#160;pwd:&quot;123456&quot;,
&#160; &#160;roles:[\{role:&quot;t1Read&quot;,db:&quot;database1&quot;}
&lt;p&gt;]&lt;br/&gt;
})&lt;/p&gt;

&lt;p&gt;db.createUser(&lt;/p&gt;
{
&#160; &#160;user:&quot;usr2&quot;,
&#160; &#160;pwd:&quot;123456&quot;,
&#160; &#160;roles:[\{role:&quot;t2Read&quot;,db:&quot;database1&quot;}
&lt;p&gt;]&lt;br/&gt;
})&lt;/p&gt;



&lt;p&gt;2.&lt;br/&gt;
Login as usr1:&lt;br/&gt;
test&amp;gt; use database1&lt;br/&gt;
switched to db database1&lt;br/&gt;
database1&amp;gt; db.t1.find({})&lt;br/&gt;
[&lt;br/&gt;
&#160; &lt;/p&gt;
{
&#160; &#160; _id: ObjectId(&quot;6155864d0133ab8df9f21ceb&quot;),
&#160; &#160; name: &apos;t1&apos;,
&#160; &#160; email: &apos;[t1table@example.com|mailto:t1table@example.com]&apos;
&#160; }
&lt;p&gt;,&lt;br/&gt;
&#160; &lt;/p&gt;
{
&#160; &#160; _id: ObjectId(&quot;6155864d0133ab8df9f21cec&quot;),
&#160; &#160; name: &apos;lexas&apos;,
&#160; &#160; email: &apos;[lexas@example.com|mailto:lexas@example.com]&apos;
&#160; }
&lt;p&gt;]&lt;br/&gt;
database1&amp;gt; db.t2.find({})&lt;br/&gt;
MongoServerError: not authorized on database1 to execute command { find: &quot;t2&quot;, filter: {}, lsid: { id: UUID(&quot;a4aad0fe-9183-45af-a240-713c79eba1cc&quot;) }, $db: &quot;database1&quot; }&lt;/p&gt;

&lt;p&gt;3.&lt;br/&gt;
As dbOwner of database1:&lt;br/&gt;
use database1&lt;br/&gt;
database1&amp;gt; db.t1.renameCollection(&apos;t3&apos;);&lt;br/&gt;
database1&amp;gt; db.t2.renameCollection(&apos;t1&apos;);&lt;br/&gt;
database1&amp;gt; db.t3.renameCollection(&apos;t2&apos;);&lt;/p&gt;

&lt;p&gt;4.Login as usr1:&lt;br/&gt;
database1&amp;gt; db.t1.find({})&lt;br/&gt;
[&lt;br/&gt;
&#160; &lt;/p&gt;
{
&#160; &#160; _id: ObjectId(&quot;615586580133ab8df9f21ced&quot;),
&#160; &#160; name: &apos;t2&apos;,
&#160; &#160; email: &apos;[t2table@example.com|mailto:t2table@example.com]&apos;
&#160; }
&lt;p&gt;,&lt;br/&gt;
&#160; &lt;/p&gt;
{
&#160; &#160; _id: ObjectId(&quot;615586580133ab8df9f21cee&quot;),
&#160; &#160; name: &apos;linsay&apos;,
&#160; &#160; email: &apos;[linsay@example.com|mailto:linsay@example.com]&apos;
&#160; }
&lt;p&gt;]&lt;br/&gt;
database1&amp;gt; db.t2.find({})&lt;br/&gt;
MongoServerError: not authorized on database1 to execute command { find: &quot;t2&quot;, filter: {}, lsid: { id: UUID(&quot;a4aad0fe-9183-45af-a240-713c79eba1cc&quot;) }, $db: &quot;database1&quot; }&lt;/p&gt;

&lt;p&gt;As you can see, after renaming the collections, usr1 actually get the data from the collection t2, which he&apos;s not supposed to be able to read.&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                    <customfieldvalue><![CDATA[edwin.zhou@mongodb.com]]></customfieldvalue>
    

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i03gov:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>