CVE-2021-20332 — Sensitive Information Exposure in Mongodb

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

4.4MEDIUMNVD

CNA4.2

EPSS

0.1%

top 67.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb Mongodb INC Mongodb Rust Driver Mongodb Rust Driver

Timeline

PublishedAug 2

Latest updateMay 24

Description

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default. This issue affects MongoDB Rust Driver version 2.0.0-alpha, MongoDB Rust Driver version 2.0.0-alpha1 and MongoDB Rust Driver version 1.0.0 through …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages3 packages

▶NVDmongodb/rust_driver1.0.0 — 1.2.1+1

▶CVEListV5mongodb_inc/mongodb_rust_driver1.0.0 — 1.2.1+2

▶crates.iomongodb/mongodb1.0.0 — 2.0.0-beta

Patches

Patch: jira.mongodb.org ↗Patch: jira.mongodb.org ↗

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in MongoDB Rust Driver↗2022-05-24

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in MongoDB Rust Driver↗2022-05-24

▶

CVEList

MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application↗2021-08-02

▶