Description

The HTTP status interface provides a web-based interface that includes a variety of operational data, logs, and status reports regarding the mongod or mongos instance. The HTTP interface is always available on the port numbered 1000 greater than the primary mongod port. By default this is 28017, but is indirectly set using the port option which allows you to configure the primary mongod port.

Without the rest setting, this interface is entirely read-only, and limited in scope; nevertheless, this interface may represent an exposure. To disable the HTTP interface, set the nohttpinterface run time option or the --nohttpinterface command line option.

Remediation

To disable the HTTP interface, set the nohttpinterface run time option or the --nohttpinterface command line option.

References

Security Practices and Management

Related Vulnerabilities

WordPress Plugin Advanced Custom Fields (ACF) Information Disclosure (6.0.2)

WordPress Plugin Email Subscribers & Newsletters Multiple Vulnerabilities (4.2.2)

WordPress 4.9.x Multiple Vulnerabilities (4.9 - 4.9.23)

WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress Multiple Vulnerabilities (3.4.34)

WordPress Plugin Advanced Contact form 7 DB Information Disclosure (1.6.2)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure