Bug 991387 (CVE-2016-6494) - VUL-1: CVE-2016-6494: mongodb: world-readable .dbshell history file
Summary: VUL-1: CVE-2016-6494: mongodb: world-readable .dbshell history file
Status: RESOLVED INVALID
Alias: CVE-2016-6494
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Cloud Bugs
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/171501/
Whiteboard: CVSSv2:SUSE:CVE-2016-6494:2.1:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-31 07:36 UTC by Andreas Stieger
Modified: 2020-04-01 18:01 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-31 07:36:22 UTC 
mongodb-clients stores its history in ~/.dbshell, this file is created with permissions 0644.

With readable home directories this leaks the mongodb history, even though
db.auth commands don't appear to be logged like redis did. (bug 991250)

Upstream bug: https://jira.mongodb.org/browse/SERVER-25335

References:
https://jira.mongodb.org/browse/SERVER-25335
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6494
http://seclists.org/oss-sec/2016/q3/203
Comment 1 Andreas Stieger 2016-07-31 07:38:16 UTC 
https://jira.mongodb.org/browse/SERVER-25335?focusedCommentId=1342085&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-1342085

This may be influenced by the umask setting and not be a bug fixable in mongodb.
Comment 2 Swamp Workflow Management 2016-07-31 22:00:14 UTC 
bugbot adjusting priority
Comment 3 Sebastian Krahmer 2016-08-01 09:24:38 UTC 
reading upstream discussion this looks like a non issue (umask)