Details
MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, group, $where, $accumulator, and $function aggregation operations that allow users to define custom aggregation expressions. If you do not use these operations, server-side scripting should be disabled.
Rationale:
If server-side scripting is not needed and is not disabled, this introduces unnecessary risk which may allow an attacker to take advantage of insecure coding.
Impact:
Disabling server-side scripting will block all server-side scripts from executing.
Solution
If server-side scripting is not required, for mongod instance disable it by using the –noscripting option on the command line, or setting security.javascriptEnabled to false in the configuration file.
Starting in MongoDB 4.4 this is also applicable to mongos.
Default Value:
Enabled
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.