保護DataHogo
Security Encyclopedia/Database Connections
criticalCWE-284OWASP A05:2021

Database Publicly Accessible

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

How It Works

A database bound to 0.0.0.0 listens on all network interfaces, including public ones. Combine this with a cloud security group that allows inbound traffic on port 5432 from anywhere (0.0.0.0/0), and your database is one internet-facing service with no perimeter defense. Automated scanners like Shodan constantly discover these within hours of deployment.

Vulnerable Code
# BAD: PostgreSQL config binding to all interfaces
# postgresql.conf
listen_addresses = '*'  # binds to all interfaces including public

# BAD: AWS security group allowing DB access from anywhere (Terraform)
resource "aws_security_group_rule" "db_inbound" {
  cidr_blocks = ["0.0.0.0/0"]  # open to the entire internet
  from_port   = 5432
}
Secure Code
# GOOD: PostgreSQL only listening on internal interface
# postgresql.conf
listen_addresses = '127.0.0.1'  # localhost only, or use VPC private IP

# GOOD: Security group restricts DB access to app servers only
resource "aws_security_group_rule" "db_inbound" {
  source_security_group_id = aws_security_group.app.id  # only from app tier
  from_port = 5432
}

Real-World Example

The 2017 MongoDB ransomware wave wiped 27,000+ databases in days because they were publicly accessible with no authentication. The same pattern repeats annually — in 2022 it was Elasticsearch, in 2023 Redis. Shodan shows tens of thousands of publicly accessible databases at any given time.

How to Prevent It

  • Deploy your database inside a VPC and never assign it a public IP address
  • Use security groups or firewall rules that only allow inbound DB traffic from your app servers' security group
  • For managed databases (RDS, Cloud SQL), explicitly disable public accessibility in the console or Terraform config
  • Use a bastion host or VPN for developer access — never open the DB port to 0.0.0.0/0 for convenience
  • Run regular port scans on your infrastructure to detect accidentally exposed databases

Affected Technologies

Node.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021

MongoDB Without Authentication

critical

Your MongoDB connection has no authentication credentials, allowing anyone who can reach the database port to read, modify, or delete all data.

CWE-306OWASP A07:2021