MongoDB Driver before 5.8.0 Command Listener Logs Sensitive Auth Data
CVE-2021-32050 Published on August 29, 2023

Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

NVD

Vulnerability Analysis

CVE-2021-32050 is exploitable with local system access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2021-32050 has been classified to as an Information Disclosure vulnerability or weakness.

Products Associated with CVE-2021-32050

Want to know whenever a new CVE is published for MongoDB products? stack.watch will email you.

MongoDB C

MongoDB Node Js

MongoDB Swift Driver

MongoDB Php Driver

MongoDB C Driver

Affected Versions

MongoDB Inc MongoDB C Driver:

Version 1.0.0 and below 1.17.7 is affected.

MongoDB Inc MongoDB C++ Driver:

Version 3.0.0 and below 3.7.0 is affected.

MongoDB Inc MongoDB PHP Driver:

Version 1.0.0 and below 1.9.2 is affected.

MongoDB Inc MongoDB Swift Driver:

Version 1.0.0 and below 1.1.1 is affected.

MongoDB Inc MongoDB Node.js Driver:

Version 3.6 and below 3.6.10 is affected.
Version 4.0 and below 4.17.0 is affected.
Version 5.0 and below 5.8.0 is affected.

Exploit Probability

EPSS

0.04%

Percentile

11.54%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.