csaf_certbund - wid-sec-w-2023-2208

WID-SEC-W-2023-2208

Vulnerability from csaf_certbund - Published: 2023-08-29 22:00 - Updated: 2025-05-20 22:00

Summary

MongoDB: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MongoDB ist ein Open-Source-Dokumentendatenbank.

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in MongoDB ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - MacOS X - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MongoDB ist ein Open-Source-Dokumentendatenbank.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in MongoDB ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2208 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2208.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2208 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2208"
      },
      {
        "category": "external",
        "summary": "MongoDB Security Notification vom 2023-08-29",
        "url": "https://jira.mongodb.org/browse/PHPC-1869"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4175 vom 2025-05-20",
        "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00027.html"
      }
    ],
    "source_lang": "en-US",
    "title": "MongoDB: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2025-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-21T08:29:10.309+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2023-2208",
      "initial_release_date": "2023-08-29T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-08-29T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-05-20T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.9.2",
                "product": {
                  "name": "Open Source MongoDB \u003c1.9.2",
                  "product_id": "T029619"
                }
              },
              {
                "category": "product_version",
                "name": "1.9.2",
                "product": {
                  "name": "Open Source MongoDB 1.9.2",
                  "product_id": "T029619-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mongodb:mongodb:1.9.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "MongoDB"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-32050",
      "product_status": {
        "known_affected": [
          "2951",
          "T029619"
        ]
      },
      "release_date": "2023-08-29T22:00:00.000+00:00",
      "title": "CVE-2021-32050"
    }
  ]
}

CVE-2021-32050 (GCVE-0-2021-32050)

Vulnerability from cvelistv5 – Published: 2023-08-29 15:24 – Updated: 2025-11-03 19:25

Summary

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Severity ?

4.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

mongodb

References

URL

Tags

	https://jira.mongodb.org/browse/PHPC-1869
	https://jira.mongodb.org/browse/CXX-2028
	https://jira.mongodb.org/browse/SWIFT-1229
	https://jira.mongodb.org/browse/CDRIVER-3797
	https://jira.mongodb.org/browse/NODE-3356
	https://security.netapp.com/advisory/ntap-2023100…

Impacted products

Vendor

Product

Version

MongoDB Inc

MongoDB C Driver

Affected: 1.0.0 , < 1.17.7 (custom)

MongoDB Inc	MongoDB C++ Driver	Affected: 3.0.0 , < 3.7.0 (custom)
MongoDB Inc	MongoDB PHP Driver	Affected: 1.0.0 , < 1.9.2 (custom)
MongoDB Inc	MongoDB Swift Driver	Affected: 1.0.0 , < 1.1.1 (custom)
MongoDB Inc	MongoDB Node.js Driver	Affected: 3.6 , < 3.6.10 (custom) Affected: 4.0 , < 4.17.0 (custom) Affected: 5.0 , < 5.8.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:25:48.021Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jira.mongodb.org/browse/PHPC-1869"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jira.mongodb.org/browse/CXX-2028"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jira.mongodb.org/browse/SWIFT-1229"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jira.mongodb.org/browse/CDRIVER-3797"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jira.mongodb.org/browse/NODE-3356"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231006-0001/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00027.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-32050",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-30T17:34:56.433321Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-30T17:46:35.484Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MongoDB C Driver",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThan": "1.17.7",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MongoDB C++ Driver",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThan": "3.7.0",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MongoDB PHP Driver",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThan": "1.9.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MongoDB Swift Driver",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThan": "1.1.1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MongoDB Node.js Driver",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThan": "3.6.10",
              "status": "affected",
              "version": "3.6",
              "versionType": "custom"
            },
            {
              "lessThan": "4.17.0",
              "status": "affected",
              "version": "4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.8.0",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThis issue only arises if an application enables the command listener feature (this is not enabled by default).\u003c/p\u003e"
            }
          ],
          "value": "This issue only arises if an application enables the command listener feature (this is not enabled by default)."
        }
      ],
      "datePublic": "2023-08-29T16:21:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSome MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.\u003c/p\u003e\u003cp\u003eWithout due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).\u003c/p\u003e\u003cp\u003eThis issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).\u003c/p\u003e"
            }
          ],
          "value": "Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.\n\nWithout due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).\n\nThis issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-06T14:06:49.026Z",
        "orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
        "shortName": "mongodb"
      },
      "references": [
        {
          "url": "https://jira.mongodb.org/browse/PHPC-1869"
        },
        {
          "url": "https://jira.mongodb.org/browse/CXX-2028"
        },
        {
          "url": "https://jira.mongodb.org/browse/SWIFT-1229"
        },
        {
          "url": "https://jira.mongodb.org/browse/CDRIVER-3797"
        },
        {
          "url": "https://jira.mongodb.org/browse/NODE-3356"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231006-0001/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "assignerShortName": "mongodb",
    "cveId": "CVE-2021-32050",
    "datePublished": "2023-08-29T15:24:30.389Z",
    "dateReserved": "2021-05-05T14:29:29.717Z",
    "dateUpdated": "2025-11-03T19:25:48.021Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2023-2208

CVE-2021-32050 (GCVE-0-2021-32050)

Tags

Sightings

Nomenclature