Dear OpenVAS developers, the gb_mongodb_no_auth.nasl contains the following rating:
script_tag(name:"cvss_base", value:"6.4"); script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");
That does not reflect the actual severity of the vulnerability.
When MongoDB authentication is disabled an attacker can dump, modify or delete all databases remotely.
Confidentiality and Integrity Impact should be changed to “Complete”.
The CVSS 2 score would raise to 9.4.