Is this a vulnerability? Under the set credentials, the client does not have credentials to connect but cannot operate

[InfernalAzazel]

server docker-compose.yml

version: '3.9'
services:
  # 数据库
  mongo:
    image: mongo:latest
    container_name: mongo
    hostname: mongo
    restart: always
    volumes:
      - mongo_data:/data/db
    environment:
      MONGO_INITDB_ROOT_USERNAME: ${MONGO_INITDB_ROOT_USERNAME}
      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_INITDB_ROOT_PASSWORD}
    ports:
      - "27017:27017"
    command: --auth

volumes:
  mongo_data:
    name: mongo_data

Local testing

Vulnerability scanner classified as CVE-1999-0633

[tianon]

If you believe you have found a vulnerability in a piece of open source software, the generally appropriate/accepted course of action is to attempt what is called "responsible disclosure" by which you find a way to disclose the (potential) vulnerability privately (as in, not on the public GitHub issue tracker) to the maintaining party. Most projects will have a generally accepted means of receiving reports of this kind in a private forum so that they can do a coordinated disclosure publicly, especially if it is something that affects a lot of users.

All that being said, I do not believe there is a vulnerability here -- what you've shown is that the database still accepts anonymous connections when authentication is enabled, which makes sense and is how this kind of has to work, since it has to have a way for a client to connect and attempt authentication (in other words, a client cannot "authenticate" without first connecting in some way). I believe that's what you're seeing.