Jeffrey Yemin

Name of the Vulnerable Software and Affected Versions: MongoDB C# Driver versions 2.12.0 through 2.12.1 Description: The MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature, which is not enabled by default. Recommendations: For MongoDB C# Driver versions 2.12.0 through 2.12.1, consider disabling the command listener feature to prevent the exposure of authentication-related data until a patch is available. As a temporary workaround, restrict access to the command listener to minimize the risk of exploitation. Avoid writing security-sensitive data to log files.

Name of the Vulnerable Software and Affected Versions: Java driver versions that support client-side field level encryption (CSFLE) Description: The issue arises from the Java driver's failure to perform correct host name verification on the KMS server's certificate, which, in combination with a privileged network position active MITM attack, could result in interception of traffic between the Java driver and the KMS service. This renders Field Level Encryption ineffective. The Java async, Scala, and reactive streams drivers are not impacted. Additionally, this issue does not affect driver traffic payloads with CSFLE-supported key services originating from applications inside the AWS, GCP, and Azure network fabrics due to existing controls in these environments. It also does not impact driver workloads that do not use Field Level Encryption. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.