CVE-2021-20328

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-20328
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20328.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-20328
Aliases
Downstream
Published
2021-02-25T17:15:28.303Z
Modified
2026-04-10T04:33:30.165998Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.

References

Affected packages

Git / github.com/mongodb/mongo-java-driver

Affected ranges

Type
GIT
Repo
https://github.com/mongodb/mongo-java-driver
Events
Introduced
8afd81777b01d85e3e2694e6d125ddf373679db0
Fixed
4ebce1252c981c9c24c8541897f29812b23d47af
Introduced
c29fc3ab9612119e51d7cb2bdc9e5a72e7ad3f68
Fixed
eb2ae257ff71514c839e3a0c9d23fda61da133de
Introduced
9464704d92c0d91b3ab5ae1f5d0b8d6b0124f22e
Fixed
fecc054a70ddd27c2362907a5bc5754d7aad48cf
Introduced
26fee6d9e515f89a79e94888a7343b3e981eaf8e
Fixed
7a3e664a97ac668cdc9c16bd31620fb6f0626b0c
Introduced
b2fbb5937437d91c7d61d86dada277330dd1aa5d
Fixed
18ce60aa69d381ea50f5ceb7dca24f0434caf408
Database specific 
{
    "versions": [
        {
            "introduced": "3.11.0"
        },
        {
            "fixed": "3.11.3"
        },
        {
            "introduced": "3.12.0"
        },
        {
            "fixed": "3.12.8"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.6"
        },
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.1.2"
        },
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/quarkusio/quarkus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0e8ec9e712d4b2848e2671a51bf76dd7abd9a8fb
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
0e8ec9e712d4b2848e2671a51bf76dd7abd9a8fb
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.13.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.13.3"
        }
    ]
}

Affected versions

1.*
1.13.3.Final
r3.*
r3.11.0
r3.11.1
r3.11.2
r3.12.0
r3.12.1
r3.12.2
r3.12.3
r3.12.4
r3.12.5
r3.12.6
r3.12.7
r4.*
r4.0.0
r4.0.1
r4.0.2
r4.0.3
r4.0.4
r4.0.5
r4.1.0
r4.1.1
r4.2.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20328.json"