Skip to content

MongoDB C# Driver Risk of Exposing Authentication Data via Command Listener

Moderate severity GitHub Reviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Jan 23, 2024

Package

nuget mongodb.driver (NuGet)

Affected versions

>= 2.11.0, < 2.12.2

Patched versions

2.12.2

Description

Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1.

References

Published by the National Vulnerability Database May 13, 2021
Published to the GitHub Advisory Database May 24, 2022
Reviewed Dec 20, 2023
Last updated Jan 23, 2024

Severity

Moderate
4.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2021-20331

GHSA ID

GHSA-p9rv-qgqw-jx2w

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.