H3-2022-0070¶

Anonymous MongoDB Access

Description¶

Anonymous login is allowed on the MongoDB server. The default configuration for MongoDB servers permits full access without requiring authentication.

Impact¶

Anonymous login allows any remote user to connect to the MongoDB server without providing a password or unique credentials. This allows an attacker can access, disclose, and modify data stored in the database, possibly including usernames and password of other database users.

References¶

• CWE-284: Improper Access Control
• Enable Access Control - MongoDB Manual
• Security Checklist — MongoDB Manual