CVE-2021-20331
MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1.
Las versiones específicas del Controlador MongoDB C# pueden publicar erróneamente eventos que contienen datos relacionados con la autenticación en un escucha de comandos configurado por una aplicación. Los eventos publicados pueden contener datos confidenciales para la seguridad cuando comandos tales como "saslStart", "saslContinue", "isMaster", "createUser" y "updateUser" son ejecutados. Sin el debido cuidado, una aplicación puede exponer inadvertidamente esta información relacionada con la autenticación, por ejemplo, escribiéndola en un archivo de registro. Este problema solo surge si una aplicación habilita la funcionalidad command listener (esta no está habilitada por defecto). Este problema afecta al controlador MongoDB C# versiones 2.12 anteriores a 2.12.1 incluyéndola
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2020-12-17 CVE Reserved
- 2021-05-13 CVE Published
- 2023-03-08 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://jira.mongodb.org/browse/CSHARP-3521 | 2024-01-23 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mongodb Search vendor "Mongodb" | C\# Driver Search vendor "Mongodb" for product "C\# Driver" | >= 2.12.0 < 2.12.2 Search vendor "Mongodb" for product "C\# Driver" and version " >= 2.12.0 < 2.12.2" | mongodb |
Affected
| ||||||
Mongodb Search vendor "Mongodb" | C\# Driver Search vendor "Mongodb" for product "C\# Driver" | 2.11.0 Search vendor "Mongodb" for product "C\# Driver" and version "2.11.0" | mongodb |
Affected
|