high
7.5
CWE
532 200
Advisory Published
Advisory Published
Updated

CVE-2021-32050: Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

First published: Tue Aug 29 2023(Updated: )

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Credit: cna@mongodb.com cna@mongodb.com cna@mongodb.com

Affected SoftwareAffected VersionHow to fix
Mongodb C\+\+>=1.0.0<1.17.7
Mongodb C Driver>=1.0.0<1.17.7
Mongodb Node.js>=3.6<3.6.10
Mongodb Node.js>=4.0<4.17.0
Mongodb Node.js>=5.0<5.8.0
Mongodb Php Driver>=1.0.0<1.9.2
Mongodb Swift Driver>=1.0.0<1.1.1
swift/github.com/mongodb/mongo-swift-driver>=1.0.0<1.1.1
1.1.1
npm/mongodb>=5.0.0<5.8.0
5.8.0
npm/mongodb>=4.0.0<4.17.0
4.17.0
npm/mongodb>=3.6.0<3.6.10
3.6.10
composer/mongodb/mongodb>=1.0.0<1.9.2
1.9.2

Remedy

https://jira.mongodb.org/browse/CDRIVER-3797

Remedy

https://jira.mongodb.org/browse/CXX-2028

Remedy

https://jira.mongodb.org/browse/NODE-3356

Remedy

https://jira.mongodb.org/browse/PHPC-1869

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2021-32050?

    CVE-2021-32050 is a vulnerability in MongoDB Drivers that can result in the publication of security-sensitive data when certain authentication-related commands are executed.

  • How severe is CVE-2021-32050?

    CVE-2021-32050 has a severity rating of 7.5 (high).

  • Which software versions are affected by CVE-2021-32050?

    The affected software versions include Swift MongoDB Driver v1.0.0 to v1.1.1, Node.js MongoDB Driver v3.6.0 to v3.6.10, v4.0.0 to v4.17.0, and v5.0.0 to v5.8.0, PHP MongoDB Driver v1.0.0 to v1.9.2, MongoDB C++ Driver v1.0.0 to v1.17.7, and MongoDB C Driver v1.0.0 to v1.17.7.

  • How can the CVE-2021-32050 vulnerability be mitigated?

    To mitigate the CVE-2021-32050 vulnerability, it is recommended to update the affected MongoDB Drivers to the latest versions, which contain the necessary security patches.

  • Where can I find more information about CVE-2021-32050?

    You can find more information about CVE-2021-32050 on the NIST National Vulnerability Database (NVD) website.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203