H3-2022-0031¶

Unauthenticated Access to Mongo Express

Description¶

The Mongo-express application requires no authentication.

Impact¶

An unauthenticated attacker can access all the information stored by the application. In some older versions of Mongo-express this may also lead to remote code execution.

References¶

• How do I run mongo-express (without authentication)?
• Too fast, too insecure: Securing Mongo Express web administrative interfaces
• CWE-306: Missing Authentication for Critical Function