Executive Summary

This vulnerability involves the ldapQueryPassword parameter in MongoDB. When this parameter is set using the runtime setParameter command, the new password is logged in plain text within the mongod.log file.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that sensitive password information is exposed in plain text within log files. This can lead to unauthorized access if an attacker gains access to the logs, potentially compromising the security of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the mongod.log file for any instances where the ldapQueryPassword parameter is logged in plain text.

Since the issue involves the runtime setParameter command logging the password, you can search the mongod.log file for entries related to ldapQueryPassword.

• Use a command like: grep ldapQueryPassword /path/to/mongod.log
• Review the log entries for any plaintext passwords being recorded.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, avoid setting the ldapQueryPassword parameter through the runtime setParameter command, as this causes the password to be logged in plain text.

Instead, configure the ldapQueryPassword parameter through secure configuration files or environment variables that do not get logged.

Additionally, review and restrict access to the mongod.log file to prevent unauthorized viewing of sensitive information.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes the ldapQueryPassword parameter to be logged in plain text within the mongod.log file. This exposure of sensitive password information in logs can lead to unauthorized access or data breaches.

Such exposure of sensitive authentication credentials may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper handling of authentication information to prevent unauthorized disclosure.

Useful 0 Not Useful 0