[Pkg-javascript-devel] Bug#1052663: node-mongodb: CVE-2021-32050
Moritz Mühlenhoff
jmm at inutil.org
Mon Sep 25 22:28:46 BST 2023
Source: node-mongodb
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-mongodb.
CVE-2021-32050[0]:
| Some MongoDB Drivers may erroneously publish events containing
| authentication-related data to a command listener configured by an
| application. The published events may contain security-sensitive
| data when specific authentication-related commands are executed.
| Without due care, an application may inadvertently expose this
| sensitive information, e.g., by writing it to a log file. This issue
| only arises if an application enables the command listener feature
| (this is not enabled by default). This issue affects the MongoDB C
| Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to
| 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js
| Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to
| 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue
| also affects users of the MongoDB C++ Driver dependent on the C
| driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
https://jira.mongodb.org/browse/NODE-3356
https://github.com/mongodb/node-mongodb-native/commit/8c8b4c3b8c55f10fb96f63d3bbfa5d408b4ed7d0
https://github.com/mongodb/node-mongodb-native/commit/b98f2061de9e8b0a814e3e7d39a0e914245953d0
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32050
https://www.cve.org/CVERecord?id=CVE-2021-32050
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list