A tool to fingerprint MongoDB versions using the listCommands output and specifically the help text from the setParameter command.
This is useful for identifying MongoDB instances where buildInfo is no longer exposed pre-authentication (8.2.1+).
For example, version 8.2.1 can be matched using hash d98d6221a22a37dce7f4fffc05ec05a9.
The following two versions (8.2.2-8.2.3) can be matching using hash 2d7cb04d67cc9291f3bb561f32b7feaa.
Notably 8.2.2 introduced the following changes:
{
"2d7cb04d67cc9291f3bb561f32b7feaa": {
"version_min": "8.2.2",
"version_max": "8.2.3",
"versions": [
"8.2.2",
"8.2.3"
],
"version_prev": "8.2.1",
"params_added": [
"ingressRequestRateLimiterApplicationExemptions",
"internalQueryPermitMatchSwappingForComplexRenames",
"internalReduceAccumulatedValueDepthCheckInterval",
"minimalWriteConflictRetryCountForStateDump",
"oplogSamplingAsyncYieldIntervalMs",
"proxyProtocolMaximumPendingConnections",
"proxyProtocolMaximumWaitBackoffMillis",
"proxyProtocolTimeoutSecs",
"useSlowCollectionTruncateMarkerScanning",
"writeConflictRetryCountForDumpState"
],
"count": 792
}
}- Configure docker or podman on your development system.
- Install a recent version of Go (1.25+)/
- Run
./update-from-docker.shto extract fingerprints from newer MongoDB containers. - Use
data/matches.jsonfor matchingsetParameterhelp output (MD5) to versions. - Be amazed at how many parameters are changed between minor versions of MongoDB.
The help output files in the data directory can be used to identify unauthenticated
commands by version and generally review the evolution of MongoDB features.
$ grep -L '"requiresAuth": false' data/*/buildInfo.json
data/8.2.1/buildInfo.json
data/8.2.2/buildInfo.json
data/8.2.3/buildInfo.jsonSome interesting highlights:
- The big one:
buildInfois restricted as of8.2.1. - The
waitForFailPointcommand was removed after8.0.9. - The
whatsmyuricommand was removed after7.0.9.