ISSUE SUMMARY
The HTTP interface has a more permissive localhost exception policy than the database server.
USER IMPACT
The embedded web server that provides the HTTP interface may allow a user to connect via localhost even if users are defined on the admin database and --auth is enabled. If no users are defined in the admin database, unauthenticated access via the HTTP interface from anywhere (not just localhost) is also possible.
This is more permissive than the database server localhost exception policy.
WORKAROUNDS
As a work-around, follow our security best practices and disable the embedded web server.
AFFECTED VERSIONS
All previous versions of the HTTP interface are affected by this issue. The HTTP interface is disabled by default from 2.6.0 and onwards.
FIX VERSION
The fix is included in the 3.0.1 production release.
- is duplicated by
-
SERVER-17686 Access to http interface when authentication is enabled
- Closed