STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.

DISA Rule

SV-96605r1_rule

Vulnerability Number

V-81891

Group Title

SRG-APP-000251-DB-000391

Rule Version

MD3X-00-000500

Severity

CAT II

CCI(s)

• CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

10

Fix Recommendation

Disable the "javascriptEnabled" option.

Edit the MongoDB configuration file (default location: /etc/mongod.conf" to include the following:

security:
javascriptEnabled: false

Check Contents

MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server.

If the following parameter is not present or not set as show below in the MongoDB configuration file (default location: /etc/mongod.conf), this is a finding.

security:
javascriptEnabled: "false"

Vulnerability Number

V-81891

Documentable

False

Rule Version

MD3X-00-000500

Severity Override Guidance

MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server.

If the following parameter is not present or not set as show below in the MongoDB configuration file (default location: /etc/mongod.conf), this is a finding.

security:
javascriptEnabled: "false"

Check Content Reference

M

Target Key

3265

Comments