Information
MongoDB grants access to data and commands through 'role-based' approach, MongoDB is shipped with built-in roles that provide the different levels of access commonly needed in a database system. In addition, you can create custom-roles.
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
dbOwner role, when scoped to the admin database userAdmin role, when scoped to the admin database userAdminAnyDatabase role
Rationale:
Ensuring highly privileged Roles are granted only for database administrators, and roles are not scoped to 'admin' databases will reduce attack surface and follows the least privilege principle.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If any accounts were listed with built in-roles:
dbOwner
userAdmin
userAdminAnyDatabase
in 'admin' database role then drop them.