Information
MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce group $where $accumulator and $function aggregation operations that allow users to define custom aggregation expressions. If you do not use these operations, server-side scripting should be disabled.
If server-side scripting is not needed and is not disabled, this introduces unnecessary risk which may allow an attacker to take advantage of insecure coding.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If server-side scripting is not required, for mongod instance disable it by using the --noscripting option on the command line, or setting security.javascriptEnabled to false in the configuration file.
Starting in MongoDB 4.4 this is also applicable to mongos.
Impact:
Disabling server-side scripting will block all server-side scripts from executing.