Return
-
Title
MongoDB 2.x, 3.0.x < 3.0.15, 3.1.x < 3.2.14, 3.3.x < 3.3.14 Mongo Shell Information Disclosure Vulnerability (SERVER-25335) -
Description
Mongodb vulnerability SERVER-25335 may be listed when a audit is performed and pointing to Rapid Recovery. -
Cause
There is a vulnerability from remote MongoDB server is 2.x, 3.x < 3.0.15, 3.2.x < 3.2.14, 3.3.x < 3.3.14. It is, therefore, affected by an information disclosure in mongo shell due to the MongoDB client having world-readable permissions on .dbshell history files. An unauthenticated, local attacker can exploit this by reading these files to disclose potentially sensitive information. -
Resolution
This is a low vulnerability and does not affect Rapid Recovery as this database is used to save the Rapid Recovery Core events only and no customer data is saved on it. Our development team is aware about this and they are planning to upgrade Mongodb in a future release. -
Additional Information