V-265921
MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide
Title
MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Description
<VulnDiscussion>The DOD standard for authentication is DOD-approved PKI certificates. Normally, with PKI authentication, the interaction with the user for authentication will be handled by a software component separate from MongoDB, such as ActivIdentity ActivClient. However, in cases where MongoDB controls the interaction, this requirement applies. To prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system...
Fix Text (Documentation Requirement)
For the mongo shell "mongosh", "mongodump", "mongorestore", "mongoimport", "mongoexport", which can accept a plain-text password, and any other essential tool with the same limitation: - Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval. - Train all users of the tool in the nature of using the plain-text password option and in how to keep the password protected from unauthorized viewing/capture and document they have been trained. To view the acceptable command line flags, execute the commands with --help for the various parameters that can be used. For example: mongosh --help Example output: mongosh Authentication Options: -u, --username [arg] Username for authentication -p, --password [arg] ...