| VID |
25328 |
| Severity |
30 |
| Port |
27017 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The version of the remote MongoDB server is prior to 3.0.15. It is, therefore, affected by an information disclosure in mongo shell due to the MongoDB client having world-readable permissions on .dbshell history files. An unauthenticated, local attacker can exploit this by reading these files to disclose potentially sensitive information.
* References:
https://www.mongodb.com/alerts
* Platforms Affected:
MongoDB prior to 3.0.15
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of MongoDB(3.0.15 or later), available from the MongoDB Web page at https://www.mongodb.com/download-center/community |
| Related URL |
CVE-2016-6494 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
