MongoDB Unauthenticated REST API Detection

medium Nessus Plugin ID 81778

Synopsis

The remote web server is running an unauthenticated REST API for a database system.

Description

The remote web server is running an unauthenticated REST API for MongoDB, a document-oriented database system. A remote attacker can exploit this API to read arbitrary collections from databases in the system.

Solution

Disable or restrict access to the MongoDB REST API or the MongoDB HTTP interface.

See Also

https://docs.mongodb.com/ecosystem/tools/http-interfaces/

Plugin Details

Severity: Medium

ID: 81778

File Name: mongodb_web_admin_rest_api.nasl

Version: Revision: 1.2

Type: remote

Family: Databases

Published: 3/12/2015

Updated: 6/6/2017

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:mongodb:mongodb

Required KB Items: installed_sw/mongodb_web