CVE-2021-20331

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-20331

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20331.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-20331

Aliases

GHSA-p9rv-qgqw-jx2w

Published

2021-05-13T08:15:06.557Z

Modified

2026-04-10T04:41:29.776872Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1.

References

https://jira.mongodb.org/browse/CSHARP-3521

Affected packages

Git / github.com/mongodb/mongo-csharp-driver

Affected ranges

Type

GIT

Repo

https://github.com/mongodb/mongo-csharp-driver

Events

Introduced

e75af27dc5966e9315d04f73ffa2c42549318a02

Fixed

a4a3888f4fb51bb518b1eb5002effc2d47f2ea6a

Introduced

Last affected

cb27a82ea70620ad1acad8058809be8302ae4f2a

Database specific

{
    "versions": [
        {
            "introduced": "2.12.0"
        },
        {
            "fixed": "2.12.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.11.0-NA"
        }
    ]
}

Affected versions

v0.*

v0.11.0.4042

v0.5.0.3940

v0.7.0.3959

v0.9.0.3992

v1.*

v1.0.0.4098

v1.1.0.4184

v1.2.0.4274

v1.3.0.4309

v1.4.0.4468

v1.4.1.4490

v1.4.2.4500

v1.5.0.4566

v1.6.0.4624

v1.6.0rc0

v1.6.1.4678

v1.7.0.4714

v1.8.0.124

v1.8.1.20

v1.8.2.34

v1.9.0

v1.9.0-rc0

v1.9.0-rc1

v2.*

v2.0.0

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.0-beta4

v2.0.0-rc0

v2.1.0-rc0

v2.1.0-rc1

v2.10.0

v2.10.0-beta1

v2.11.0

v2.11.0-beta1

v2.11.0-beta2

v2.12.0

v2.12.1

v2.2.0

v2.2.0-rc0

v2.2.1

v2.3.0

v2.3.0-beta1

v2.3.0-rc1

v2.4.0

v2.4.0-beta1

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.5.0

v2.7.0

v2.7.0-beta1

v2.9.0

v2.9.0-beta1

v2.9.0-beta2

v2.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20331.json"