CVE-2021-20327

Name of the Vulnerable Software and Affected Versions: mongodb-client-encryption module version 1.2.0

Description: The issue arises from the mongodb-client-encryption module's failure to correctly validate the KMS server's certificate. This could allow an attacker with a privileged network position to intercept traffic between the Node.js driver and the KMS service, rendering client-side field level encryption (CSFLE) ineffective. The vulnerability was discovered during internal testing and does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. Additionally, it does not affect driver workloads that don't use Field Level Encryption.

Recommendations: As a temporary workaround, consider disabling the use of the mongodb-client-encryption module version 1.2.0 until a patch is available. Restrict access to the KMS service to minimize the risk of exploitation. Avoid using the vulnerable module in environments where CSFLE is crucial. At the moment, there is no information about a newer version that contains a fix for this vulnerability.