Security Release Notes¶

On this page

Access to system.users Collection
Password Hashing Insecurity

Access to `system.users` Collection¶

Changed in version 2.4.

In 2.4, only users with the userAdmin role have access to the system.users collection.

In version 2.2 and earlier, the read-write users of a database all have access to the system.users collection, which contains the user names and user password hashes. [1]

[1]	Read-only users do not have access to the `system.users` collection.

Password Hashing Insecurity¶

If a user has the same password for multiple databases, the hash will be the same. A malicious user could exploit this to gain access on a second database using a different user’s credentials.

As a result, always use unique username and password combinations for each database.

Thanks to Will Urbanski, from Dell SecureWorks, for identifying this issue.

← Default MongoDB Port Aggregation →

Security Release Notes¶

Access to system.users Collection¶

Password Hashing Insecurity¶

Access to `system.users` Collection¶