CVE-2021-20328 in MongoDB and Quarkus Products
Published on February 25, 2021

MongoDB Java driver client-side field level encryption not verifying KMS host name

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS servers certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that dont use Field Level Encryption.

NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Products Associated with CVE-2021-20328

stack.watch emails you whenever new vulnerabilities are published in MongoDB Java Driver or Quarkus. Just hit a watch button to start following.

MongoDB Java Driver

Quarkus

Affected Versions

MongoDB Inc. mongo-java-driver:

Version 3.11, <= 3.11.2 is affected.
Version 3.12, <= 3.12.7 is affected.

MongoDB Inc. mongodb-driver:

Version 3.11, <= 3.11.2 is affected.
Version 3.12, <= 3.12.7 is affected.

MongoDB Inc. mongodb-driver-sync:

Version 4.2.0 is affected.
Version 3.11, <= 3.11.2 is affected.
Version 3.12, <= 3.12.7 is affected.
Version 4.0, <= 4.0.5 is affected.
Version 4.1, <= 4.1.1 is affected.

MongoDB Inc. mongodb-driver-legacy:

Version 4.2.0 is affected.
Version 3.11, <= 3.11.2 is affected.
Version 3.12, <= 3.12.7 is affected.
Version 4.0, <= 4.0.5 is affected.
Version 4.1, <= 4.1.1 is affected.

mongodb java_driver:

Version 3.11, <= 3.11.2 is affected.
Version 3.12, <= 3.12.7 is affected.

Exploit Probability

EPSS

0.13%

Percentile

32.23%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2021-20328 in MongoDB and Quarkus ProductsPublished on February 25, 2021

Vulnerability Analysis

Weakness Type

Improper Certificate Validation

Products Associated with CVE-2021-20328

Affected Versions

Exploit Probability

CVE-2021-20328 in MongoDB and Quarkus Products
Published on February 25, 2021