Korean
<< Back
VID 25329
Severity 30
Port 27017
Protocol TCP
Class DB
Detailed Description The version of the remote MongoDB server is prior to 3.2.14. It is, therefore, affected by an information disclosure in mongo shell due to the MongoDB client having world-readable permissions on .dbshell history files. An unauthenticated, local attacker can exploit this by reading these files to disclose potentially sensitive information.

* References:
https://www.mongodb.com/alerts

* Platforms Affected:
MongoDB prior to 3.2.14
Any operating system Any version
Recommendation Upgrade to the latest version of MongoDB(3.2.14 or later), available from the MongoDB Web page at https://www.mongodb.com/download-center/community
Related URL CVE-2016-6494 (CVE)
Related URL (SecurityFocus)
Related URL (ISS)