CVE-2021-20331
Summary
| CVE | CVE-2021-20331 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-05-13 08:15:00 UTC |
| Updated | 2024-01-23 17:15:00 UTC |
| Description | Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [CSHARP-3521] Security sensitive commands are not redacted in command started events - MongoDB Jira | CONFIRM | jira.mongodb.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Citrix Systems, Inc.
Legacy QID Mappings
- 996400 DotNet (Nuget) Security Update for mongodb.driver (GHSA-p9rv-qgqw-jx2w)