CVE-2021-20331 — Sensitive Information Exposure in Mongodb C Driver

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

4.9MEDIUMNVD

CNA4.2

EPSS

0.3%

top 47.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb C Driver Mongodb INC Mongodb C Driver

Timeline

PublishedMay 13

Latest updateMay 24

Description

Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an applicat…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDmongodb/c_driver2.12.0 — 2.12.2+1

▶CVEListV5mongodb_inc/mongodb_c_driver2.12 — 2.12.1

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

OSV

MongoDB C# Driver Risk of Exposing Authentication Data via Command Listener↗2022-05-24

▶

GHSA

MongoDB C# Driver Risk of Exposing Authentication Data via Command Listener↗2022-05-24

▶

CVEList

MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application↗2021-05-13

▶