Operational Defect Database

BugZero found this defect 2430 days ago.

MongoDB | 399143

[SERVER-29915] SCRAM-SHA-1 mechanism should respect "y" in gs2-cbind-flag

Last update date:


Affected products:

MongoDB Server

Affected releases:

No affected releases provided.

Fixed releases:




SCRAM defines the gs2-cbind-flag parameter as follows: gs2-cbind-flag = ("p=" cb-name) / "n" / "y" ;; "n" -> client doesn't support channel binding. ;; "y" -> client does support channel binding ;; but thinks the server does not. ;; "p" -> client requires channel binding. ;; The selected channel binding follows "p=". This is a Man-in-the-Middle protection measure, for clients which must detect if a remote server supports channel binding. If a Man-in-the-Middle manipulates traffic, and tricks the client into believing that the server did not support channel binding, the client must set this flag to "y". If the server supports channel binding and sees "y", that is an error. If, more likely, the MitM edits the client's message, and the server sees "n", then the client and server will not be able to negotiate a shared secret and authentication will fail. MongoDB currently fails authentication attempts which send anything other than "n". Our server and our drivers do not support channel binding, so they send "n", so this hasn't been an issue. However, if a future driver did support channel binding, and detected that an old server did not support it, it would have to send the server "y". Today, that would cause authentication to fail.

Top User Comments

xgen-internal-githook commented on Thu, 10 Aug 2017 20:58:09 +0000: Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'} Message: SERVER-29915: Respect "y" in gs2-cbind-flag in SCRAM Branch: master https://github.com/mongodb/mongo/commit/07d4d94b06c6899699410312e20ef33d954ddbd1

Additional Resources / Links


BugZero Risk Score

Coming soon



Have you been affected by this bug?


Do you know how much operational outages are costing you?

Understand the cost to your business and how BugZero can help you reduce those costs.


Login to read and write comments.

Have you ever...

had your data corrupted from a