mongodb guest instance allows any user to connect
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack DBaaS (Trove) |
Fix Released
|
High
|
Matthew Van Dijk | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Luke Hinds |
Bug Description
The risk on this i'd say is medium because its limited to the networks that the instance is created on.
So when you create a new mongodb single instance the default settings of mongo for security.
This means that you do not need to provide credentials to connect to the mongo instance to read/write data from any database on the instance. The reason i say this is low security issue is because you are only able to connect to the instance from a network that is attached on instance create. There is a potential of high risk here depending what type of network this mongo instance is created on.
Changed in trove: | |
status: | New → Triaged |
Changed in trove: | |
milestone: | mitaka-1 → mitaka-3 |
information type: | Private Security → Public Security |
description: | updated |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in trove: | |
milestone: | mitaka-3 → mitaka-rc1 |
Changed in ossa: | |
assignee: | nobody → Michael Xin (michael-xin) |
assignee: | Michael Xin (michael-xin) → nobody |
Changed in ossn: | |
assignee: | nobody → Michael Xin (michael-xin) |
Changed in ossn: | |
status: | New → Confirmed |
Changed in ossn: | |
assignee: | Michael Xin (michael-xin) → Luke Hinds (lhinds) |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.