CVE-2021-20332 – MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application
https://notcve.org/view.php?id=CVE-2021-20332
Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default. This issue affects MongoDB Rust Driver version 2.0.0-alpha, MongoDB Rust Driver version 2.0.0-alpha1 and MongoDB Rust Driver version 1.0.0 through to and including 1.2.1 Unas versiones específicas de MongoDB Rust Driver pueden incluir credenciales usadas por el pool de conexiones para autenticar conexiones en el evento de monitorización que es emitido cuando el pool es creado. La infraestructura de registro del usuario podría entonces ingerir potencialmente estos eventos y filtrar inesperadamente las credenciales. • https://jira.mongodb.org/browse/RUST-591 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-20333 – Server log entry spoofing via newline injection
https://notcve.org/view.php?id=CVE-2021-20333
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10. Mediante el envío de comandos especialmente diseñados a MongoDB Server puede resultar en la generación de entradas de registro artificiales o para que las entradas de registro se divididan. Este problema afecta a versiones de MongoDB Server v3.6 anteriores a 3.6.20; versiones de MongoDB Server v4.0 anteriores a 4.0.21; versiones de MongoDB Server v4.2 anteriores a 4.2.10 • https://jira.mongodb.org/browse/SERVER-50605 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVE-2021-20329 – Specific cstrings input may not be properly validated in the Go Driver
https://notcve.org/view.php?id=CVE-2021-20329
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0. Es posible que la entrada de cadenas de caracteres específicas no se validen apropiadamente en el controlador MongoDB Go al marshallar objetos Go en BSON. Un usuario malicioso podría usar un objeto Go con una cadena específica para inyectar potencialmente campos adicionales en los documentos ordenados. • https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1 https://access.redhat.com/security/cve/CVE-2021-20329 https://bugzilla.redhat.com/show_bug.cgi?id=1971033 • CWE-20: Improper Input Validation CWE-1287: Improper Validation of Specified Type of Input •
CVE-2021-20331 – MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application
https://notcve.org/view.php?id=CVE-2021-20331
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1. • https://jira.mongodb.org/browse/CSHARP-3521 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-20326 – Specially crafted query may result in a denial of service of mongod
https://notcve.org/view.php?id=CVE-2021-20326
A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4. Un usuario autorizado para llevar a cabo un tipo específico de consulta de búsqueda puede desencadenar una denegación de servicio. Este problema afecta a: MongoDB Inc. MongoDB Server versiones v4.4 anteriores a la 4.4.4. • https://jira.mongodb.org/browse/SERVER-53929 • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •