-
Type: Bug
-
Resolution: Duplicate
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
None
-
ALL
It is a big security risk to allow anonymous authentication against a mongo server. This allows an unauthorized user to gain attack vector information about the database.
All of the below commands can be run using an anonymous authentication:
db.serverBuildInfo() db.version() db.adminCommand({ping:1}) db.adminCommand({whatsmyuri:1}) db.adminCommand({features:1})
- duplicates
-
SERVER-12143 Make some unauthenticated commands require auth
- Closed