-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: 3.1.7
-
Component/s: JavaScript
-
Fully Compatible
-
ALL
-
-
Security 15 (06/03/16), Security 2020-02-10, Security 2020-02-24
The ScopePool identifies the scope it should acquire from its map by creating a key with the following structure:
<db><JSOperation>[\0<user>@<db>]
As '@' is a legal character in both <user> and <db>, it is possible to construct two users so as to cause a collision.
- related to
-
SERVER-20365 "authentication failed, storedKey mismatch" on synthetic users and databases with '@'
- Closed
-
SERVER-20558 AuthorizationSession::getAuthenticatedUserNamesToken should produce opaque comparable objects
- Closed