CVE-2021-20331

Name of the Vulnerable Software and Affected Versions: MongoDB C# Driver versions 2.12.0 through 2.12.1

Description: The MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature, which is not enabled by default.

Recommendations: For MongoDB C# Driver versions 2.12.0 through 2.12.1, consider disabling the command listener feature to prevent the exposure of authentication-related data until a patch is available. As a temporary workaround, restrict access to the command listener to minimize the risk of exploitation. Avoid writing security-sensitive data to log files.