You don't have to bind to 0.0.0.0:[port]. If you want the server to remain accessible only locally, bind the container to 127.0.0.1:[port]. Docker is not preventing anyone from doing this.
Yeah that's all fine and dandy, but the docker default is to bind to 0.0.0.0, so it really should be taken into account. I honestly would have to go and look up the flags needed to change the bind address, but I know the port ones (as I'm sure do many people who copy/paste docker lines from random repos), so it's still insecure for a common configuration/setup.
I've never quite understood the opposition to just shipping mongodb with authentication on by default. What sort of use-case does it solve by not requiring it, and is it worth all the bad publicity every time this crops up in a new exploit report?
robotmay|4 years ago
I've never quite understood the opposition to just shipping mongodb with authentication on by default. What sort of use-case does it solve by not requiring it, and is it worth all the bad publicity every time this crops up in a new exploit report?