CVE-2021-32050

Name of the Vulnerable Software and Affected Versions MongoDB C Driver versions 1.0.0 through 1.17.7 MongoDB PHP Driver versions 1.0.0 through 1.9.2 MongoDB Swift Driver versions 1.0.0 through 1.1.1 MongoDB Node.js Driver 3.6 versions 3.6 through 3.6.10 MongoDB Node.js Driver 4.0 versions 4.0 through 4.17.0 MongoDB Node.js Driver 5.0 versions 5.0 through 5.8.0 MongoDB C++ Driver versions prior to 3.7.0

Description Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature, which is not enabled by default.

Recommendations For MongoDB C Driver versions 1.0.0 through 1.17.7, update to version 1.17.7 or later. For MongoDB PHP Driver versions 1.0.0 through 1.9.2, update to version 1.9.2 or later. For MongoDB Swift Driver versions 1.0.0 through 1.1.1, update to version 1.1.1 or later. For MongoDB Node.js Driver 3.6 versions 3.6 through 3.6.10, update to version 3.6.10 or later. For MongoDB Node.js Driver 4.0 versions 4.0 through 4.17.0, update to version 4.17.0 or later. For MongoDB Node.js Driver 5.0 versions 5.0 through 5.8.0, update to version 5.8.0 or later. For MongoDB C++ Driver versions prior to 3.7.0, update to version 3.7.0 or later. As a temporary workaround, consider disabling the command listener feature until a patch is available.