Package: mongodb-clients Version: 2.4.10-5 Severity: grave Tags: security During the report on redis-tools (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@ linked to a codesearch and the same bug was found in mongodb-clients.
mongodb-clients stores its history in ~/.dbshell, this file is created with permissions 0644. Home folders are world readable as well in debian, so any user can access other users mongodb history, even though db.auth commands don't appear to be logged like redis did. I filed a bug on upstream as well: https://jira.mongodb.org/browse/SERVER-25335 Demo: `cat /home/*/.dbshell`