BugZero | MongoDB BugID 93086 - users with roles readAnyDatabase or readWriteAnyDa...

MongoDB - Defect ID: 93086

users with roles readAnyDatabase or readWriteAnyDatabase should not be authorized to run the listDatabases command

MongoDB - Defect ID: 93086

users with roles readAnyDatabase or readWriteAnyDatabase should not be authorized to run the listDatabases command

Last updated on 7/9/2016

Overall: 4.54.5

Severity: 4.64.6

Community: 5.55.5

Lifecycle: 9.19.1

What is the BugZero Risk Score?

Vendor details

Priority: Minor - P4
Status: Closed

Overall: 4.54.5

Severity: 4.64.6

Community: 5.55.5

Lifecycle: 9.19.1

What is the BugZero Risk Score?

Vendor details

Priority: Minor - P4
Status: Closed

Info

In v2.4.6, only users with the role clusterAdmin are permitted to run the listDatabases command. In recent builds (I am running against githash 19cd20cbceccfb21fd4338a2a8d5e3ad1738581d), users without the clusterAdmin role can run listDatabases if they have either the readAnyDatabase or readWriteAnyDatabase roles. The desired behavior is that from v2.4.6--readAnyDatabase or readWriteAnyDatabase should NOT provide listDatabases permission.

Top User Comments

schwerin commented on Mon, 7 Oct 2013 20:24:51 +0000: This was an intentional change.

Steps to Reproduce

db.auth as a user with readAnyDatabase or readWriteAnyDatabase roles db.runCommand({listDatabases: 1}) Expected result: command fails with "unauthorized" Actual result: command works

5.9Defect ID: 2956672
Some time-series tests implicitly rely on measurement insertion order for unordered inserts when checking bucket catalog stats
6.14Defect ID: 2965528
Remove push, publish_packages, and crypt_push tasks from Graviton 4 variants in v7.0 and v8.0
6.14Defect ID: 2947969
[SBE] Release storage engine resources when saveState() or restoreState() throws
5.68Defect ID: 2919474
StackLocator broken by v5 toolchain ASAN
5.88Defect ID: 2968769
Make new write path helper functions use acquireAndValidateBucketsCollection instead of acquireCollection

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

MongoDB - Defect ID: 93086

users with roles readAnyDatabase or readWriteAnyDatabase should not be authorized to run the listDatabases command

MongoDB - Defect ID: 93086

users with roles readAnyDatabase or readWriteAnyDatabase should not be authorized to run the listDatabases command

Last updated on 7/9/2016

Vendor details

Vendor details

Description

Info

Top User Comments

Steps to Reproduce

Links

Top MongoDB defects by risk score

Ready to prevent the next vendor outage?