MongoDB Service Without Authentication Detection

critical Nessus Plugin ID 81777

Synopsis

The remote host is running a database system that does not have authentication enabled.

Description

MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without any authentication. A remote attacker can therefore connect to the database system in order to create, read, update, and delete documents, collections, and databases.

The Opcode used by Nessus to determine if the MongoDB instance is vulnerable has been deprecated in version 5.0. Until a viable replacement code has been determined, please manually confirm if authentication is enabled when using MongoDB v5.0 or higher.

Solution

Enable authentication or restrict access to the MongoDB service.

See Also

https://www.mongodb.com/

Plugin Details

Severity: Critical

ID: 81777

File Name: mongodb_authentication_disabled.nasl

Version: 1.8

Type: remote

Family: Databases

Published: 3/12/2015

Updated: 11/30/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Default credentials

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:mongodb:mongodb

Exploited by Nessus: true