First published: Tue Aug 29 2023(Updated: )
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Credit: cna@mongodb.com cna@mongodb.com cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mongodb C\+\+ | >=1.0.0<1.17.7 | |
Mongodb C Driver | >=1.0.0<1.17.7 | |
Mongodb Node.js | >=3.6<3.6.10 | |
Mongodb Node.js | >=4.0<4.17.0 | |
Mongodb Node.js | >=5.0<5.8.0 | |
Mongodb Php Driver | >=1.0.0<1.9.2 | |
Mongodb Swift Driver | >=1.0.0<1.1.1 | |
swift/github.com/mongodb/mongo-swift-driver | >=1.0.0<1.1.1 | 1.1.1 |
npm/mongodb | >=5.0.0<5.8.0 | 5.8.0 |
npm/mongodb | >=4.0.0<4.17.0 | 4.17.0 |
npm/mongodb | >=3.6.0<3.6.10 | 3.6.10 |
composer/mongodb/mongodb | >=1.0.0<1.9.2 | 1.9.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-32050 is a vulnerability in MongoDB Drivers that can result in the publication of security-sensitive data when certain authentication-related commands are executed.
CVE-2021-32050 has a severity rating of 7.5 (high).
The affected software versions include Swift MongoDB Driver v1.0.0 to v1.1.1, Node.js MongoDB Driver v3.6.0 to v3.6.10, v4.0.0 to v4.17.0, and v5.0.0 to v5.8.0, PHP MongoDB Driver v1.0.0 to v1.9.2, MongoDB C++ Driver v1.0.0 to v1.17.7, and MongoDB C Driver v1.0.0 to v1.17.7.
To mitigate the CVE-2021-32050 vulnerability, it is recommended to update the affected MongoDB Drivers to the latest versions, which contain the necessary security patches.
You can find more information about CVE-2021-32050 on the NIST National Vulnerability Database (NVD) website.