CVE-2021-32050

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVSS v3 4.2 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.6 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://jira.mongodb.org/browse/CDRIVER-3797	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/CXX-2028	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/NODE-3356	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/PHPC-1869	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/SWIFT-1229	Issue Tracking
https://security.netapp.com/advisory/ntap-20231006-0001/
https://jira.mongodb.org/browse/CDRIVER-3797	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/CXX-2028	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/NODE-3356	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/PHPC-1869	Issue Tracking Patch Vendor Advisory
https://jira.mongodb.org/browse/SWIFT-1229	Issue Tracking
https://security.netapp.com/advisory/ntap-20231006-0001/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mongodb:c\+\+::::::mongodb::*
	cpe:2.3:a:mongodb:c_driver::::::mongodb::*
	cpe:2.3:a:mongodb:node.js::::::mongodb::*
	cpe:2.3:a:mongodb:node.js::::::mongodb::*
	cpe:2.3:a:mongodb:node.js::::::mongodb::*
	cpe:2.3:a:mongodb:php_driver::::::mongodb::*
	cpe:2.3:a:mongodb:swift_driver::::::mongodb::*

History

21 Nov 2024, 06:06

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 4.2
References	~~() https://jira.mongodb.org/browse/CDRIVER-3797 - Issue Tracking, Patch, Vendor Advisory~~	() https://jira.mongodb.org/browse/CDRIVER-3797 - Issue Tracking, Patch, Vendor Advisory
References	~~() https://jira.mongodb.org/browse/CXX-2028 - Issue Tracking, Patch, Vendor Advisory~~	() https://jira.mongodb.org/browse/CXX-2028 - Issue Tracking, Patch, Vendor Advisory
References	~~() https://jira.mongodb.org/browse/NODE-3356 - Issue Tracking, Patch, Vendor Advisory~~	() https://jira.mongodb.org/browse/NODE-3356 - Issue Tracking, Patch, Vendor Advisory
References	~~() https://jira.mongodb.org/browse/PHPC-1869 - Issue Tracking, Patch, Vendor Advisory~~	() https://jira.mongodb.org/browse/PHPC-1869 - Issue Tracking, Patch, Vendor Advisory
References	~~() https://jira.mongodb.org/browse/SWIFT-1229 - Issue Tracking~~	() https://jira.mongodb.org/browse/SWIFT-1229 - Issue Tracking
References	~~() https://security.netapp.com/advisory/ntap-20231006-0001/ -~~	() https://security.netapp.com/advisory/ntap-20231006-0001/ -

06 Oct 2023, 15:15

Type	Values Removed	Values Added
References		(MISC) https://security.netapp.com/advisory/ntap-20231006-0001/ -

07 Sep 2023, 19:28

Type	Values Removed	Values Added
First Time		Mongodb swift Driver Mongodb node.js Mongodb Mongodb c\+\+ Mongodb php Driver Mongodb c Driver
References	~~(MISC) https://jira.mongodb.org/browse/CDRIVER-3797 -~~	(MISC) https://jira.mongodb.org/browse/CDRIVER-3797 - Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://jira.mongodb.org/browse/NODE-3356 -~~	(MISC) https://jira.mongodb.org/browse/NODE-3356 - Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://jira.mongodb.org/browse/CXX-2028 -~~	(MISC) https://jira.mongodb.org/browse/CXX-2028 - Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://jira.mongodb.org/browse/PHPC-1869 -~~	(MISC) https://jira.mongodb.org/browse/PHPC-1869 - Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://jira.mongodb.org/browse/SWIFT-1229 -~~	(MISC) https://jira.mongodb.org/browse/SWIFT-1229 - Issue Tracking
CPE		cpe:2.3:a:mongodb:c_driver::::::mongodb::* cpe:2.3:a:mongodb:node.js::::::mongodb::* cpe:2.3:a:mongodb:swift_driver::::::mongodb::* cpe:2.3:a:mongodb:php_driver::::::mongodb::* cpe:2.3:a:mongodb:c\+\+::::::mongodb::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-532

29 Aug 2023, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-29 16:15

Updated : 2024-11-21 06:06

NVD link : CVE-2021-32050

Mitre link : CVE-2021-32050

CVE.ORG link : CVE-2021-32050

JSON object : View

Products Affected

mongodb

c_driver
c\+\+
php_driver
swift_driver
node.js

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-532

Insertion of Sensitive Information into Log File

4.2 /10