CVE-2021-20331: Exposure of Sensitive Information to an Unauthorized Actor

May 24, 2022 (updated December 20, 2023)

Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as “saslStart”, “saslContinue”, “isMaster”, “createUser”, and “updateUser” are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1.

References

Code Behaviors & Features

Detect and mitigate CVE-2021-20331 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →