CVE-2021-20332 is a vulnerability in MongoDB Rust Driver
Published on August 2, 2021
MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application
Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default. This issue affects MongoDB Rust Driver version 2.0.0-alpha, MongoDB Rust Driver version 2.0.0-alpha1 and MongoDB Rust Driver version 1.0.0 through to and including 1.2.1
Vulnerability Analysis
CVE-2021-20332 is exploitable with local system access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2021-20332 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2021-20332
Want to know whenever a new CVE is published for MongoDB Rust Driver? stack.watch will email you.
Affected Versions
MongoDB Inc. MongoDB Rust Driver:- Version 2.0.0-alpha is affected.
- Version 2.0.0-alpha1 is affected.
- Version 1.0.0, <= 1.2.1 is affected.
- Version 2.0.0-alpha is affected.
- Version 2.0.0-alpha1 is affected.
- Version 1.00.0, <= 1.2.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.