{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB C# Driver", "vendor": "MongoDB Inc.", "versions": [{"lessThanOrEqual": "2.12.1", "status": "affected", "version": "2.12", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Citrix Systems, Inc."}], "datePublic": "2021-05-23T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p>Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1.</p><br><p></p>"}], "value": "Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T16:09:46.051Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jira.mongodb.org/browse/CSHARP-3521"}], "source": {"discovery": "EXTERNAL"}, "title": "MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-05-24T22:00:00.000Z", "ID": "CVE-2021-20331", "STATE": "PUBLIC", "TITLE": "MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB C# Driver", "version": {"version_data": [{"version_affected": "<=", "version_name": "2.12", "version_value": "2.12.1"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "credit": [{"lang": "eng", "value": "Citrix Systems, Inc."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://jira.mongodb.org/browse/CSHARP-3521", "refsource": "CONFIRM", "url": "https://jira.mongodb.org/browse/CSHARP-3521"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:23.787Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jira.mongodb.org/browse/CSHARP-3521"}]}, {"affected": [{"vendor": "mongodb", "product": "c\\#_driver", "cpes": ["cpe:2.3:a:mongodb:c\\#_driver:*:*:*:*:*:mongodb:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.12", "status": "affected", "lessThanOrEqual": "2.12.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-23T20:28:24.561425Z", "id": "CVE-2021-20331", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:12:36.580Z"}}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2021-20331", "datePublished": "2021-05-13T07:40:11.801146Z", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-09-16T22:25:28.232Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.mongodb.org/browse/CSHARP-3521", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:23.787Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-20331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T20:28:24.561425Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mongodb:c\\#_driver:*:*:*:*:*:mongodb:*:*"], "vendor": "mongodb", "product": "c\\#_driver", "versions": [{"status": "affected", "version": "2.12", "versionType": "custom", "lessThanOrEqual": "2.12.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:12:32.813Z"}}], "cna": {"title": "MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Citrix Systems, Inc."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc.", "product": "MongoDB C# Driver", "versions": [{"status": "affected", "version": "2.12", "versionType": "custom", "lessThanOrEqual": "2.12.1"}], "defaultStatus": "unaffected"}], "datePublic": "2021-05-23T23:00:00.000Z", "references": [{"url": "https://jira.mongodb.org/browse/CSHARP-3521", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1.", "supportingMedia": [{"type": "text/html", "value": "<p></p><p>Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1.</p><br><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T16:09:46.051Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Citrix Systems, Inc."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "2.12", "version_value": "2.12.1", "version_affected": "<="}]}, "product_name": "MongoDB C# Driver"}]}, "vendor_name": "MongoDB Inc."}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://jira.mongodb.org/browse/CSHARP-3521", "name": "https://jira.mongodb.org/browse/CSHARP-3521", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-20331", "STATE": "PUBLIC", "TITLE": "MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application", "ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-05-24T22:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-20331", "state": "PUBLISHED", "dateUpdated": "2024-09-16T22:25:28.232Z", "dateReserved": "2020-12-17T00:00:00", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2021-05-13T07:40:11.801146Z", "assignerShortName": "mongodb"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:c\\#_driver:*:*:*:*:*:mongodb:*:*", "matchCriteriaId": "6998C551-8878-414C-919A-9305AB7A897E", "versionEndExcluding": "2.12.2", "versionStartIncluding": "2.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:c\\#_driver:2.11.0:-:*:*:*:mongodb:*:*", "matchCriteriaId": "69B8F1A7-8B5C-4D6A-A552-A925DA52A12F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1."}, {"lang": "es", "value": "Las versiones espec\u00edficas del Controlador MongoDB C# pueden publicar err\u00f3neamente eventos que contienen datos relacionados con la autenticaci\u00f3n en un escucha de comandos configurado por una aplicaci\u00f3n. Los eventos publicados pueden contener datos confidenciales para la seguridad cuando comandos tales como \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\" y \"updateUser\" son ejecutados. Sin el debido cuidado, una aplicaci\u00f3n puede exponer inadvertidamente esta informaci\u00f3n relacionada con la autenticaci\u00f3n, por ejemplo, escribi\u00e9ndola en un archivo de registro. Este problema solo surge si una aplicaci\u00f3n habilita la funcionalidad command listener (esta no est\u00e1 habilitada por defecto). Este problema afecta al controlador MongoDB C# versiones 2.12 anteriores a 2.12.1 incluy\u00e9ndola"}], "id": "CVE-2021-20331", "lastModified": "2024-11-21T05:46:23.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-13T08:15:06.557", "references": [{"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/CSHARP-3521"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/CSHARP-3521"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "cna@mongodb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}