Description

RethinkDB is an open-source database that makes use of JSON documents with dynamic schemas for real-time data processing.

A new RethinkDB cluster always has one user named admin; this user always has all permissions at a global scope, and the user cannot be deleted. By default, the admin user has no password.

Remediation

Configure RethinkDB to listen only on the local interface and set a strong password for the admin user. You can change the password for the admin user by updating the admin user document, or by specifying the --initial-password command line option on startup.

References

Permissions and user accounts

Related Vulnerabilities

ASP.NET header checking is disabled in web.config

WordPress user registration enabled

WordPress Plugin Backup & Restore Dropbox Multiple Vulnerabilities (1.4.7.5)

Oracle E-Business Suite iStore open user registration

Unrestricted access to Prometheus Metrics

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

Tags

Configuration Insecure Admin Access Default Credentials