H3-2022-0067

Weak or Default Credentials - MongoDB

Category	CREDENTIALS
Base Score	8.6

Description

If MongoDB is configured with authentication disabled or with weak credentials, an attacker may disclose or modify data stored in the database, including usernames and passwords of database users. The default configuration for MongoDB servers permits full access without requiring authentication. Weak credentials include passwords that are easily obtained by password guessing, password spraying, or cracked using dictionary attacks. Default passwords are publicly known and obtainable by an attacker and provide immediate access to a system.

Impact

An attacker can access, disclose, and modify data stored in the database, including usernames and password of other database users.

References

• CWE-521: Weak Password Requirements
• CWE-309: Use of Password System for Primary Authentication
• T1110: Brute Force
• Security Checklist — MongoDB Manual