CVE-2021-32039 - OpenCVE

Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mongodb	Mongodb

Configuration 1 [-]

cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:visual_studio_code:*:*

No data.

References

Link	Providers
https://github.com/mongodb-js/vscode/releases/tag/v0.8.0
https://jira.mongodb.org/browse/VSCODE-313

History

Wed, 18 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mongodb:mongodb:-:::::::*
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Sep 2024 02:00:00 +0000

Type	Values Removed	Values Added
Description	Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0	Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0

MITRE

Status: PUBLISHED

Assigner: mongodb

Published: 2022-01-20T14:50:10.319200Z

Updated: 2024-09-17T01:51:09.452Z

Reserved: 2021-05-05T00:00:00

Link: CVE-2021-32039

Vulnrichment

Updated: 2024-08-03T23:17:28.896Z

NVD

Status : Modified

Published: 2022-01-20T15:15:07.893

Modified: 2024-09-17T02:15:44.030

Link: CVE-2021-32039

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB for VS Code", "vendor": "MongoDB Inc.", "versions": [{"lessThanOrEqual": "0.7.0", "status": "affected", "version": "MongoDB for VS Code", "versionType": "custom"}]}], "datePublic": "2022-01-20T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0</p>"}], "value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T16:28:19.416Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.mongodb.org/browse/VSCODE-313"}], "source": {"discovery": "INTERNAL"}, "title": "MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2022-01-20T18:13:00.000Z", "ID": "CVE-2021-32039", "STATE": "PUBLIC", "TITLE": "MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB for VS Code", "version": {"version_data": [{"version_affected": "<=", "version_name": "MongoDB for VS Code", "version_value": "0.7.0"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522: Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0", "refsource": "MISC", "url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"}, {"name": "https://jira.mongodb.org/browse/VSCODE-313", "refsource": "MISC", "url": "https://jira.mongodb.org/browse/VSCODE-313"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-32039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T18:21:40.886484Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*"], "vendor": "mongodb", "product": "mongodb", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:21.338Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:17:28.896Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.mongodb.org/browse/VSCODE-313"}]}]}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2021-32039", "datePublished": "2022-01-20T14:50:10.319200Z", "dateReserved": "2021-05-05T00:00:00", "dateUpdated": "2024-09-17T01:51:09.452Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://jira.mongodb.org/browse/VSCODE-313", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:17:28.896Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-32039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T18:21:40.886484Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mongodb:mongodb:-:*:*:*:*:*:*:*"], "vendor": "mongodb", "product": "mongodb", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T18:20:28.836Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc.", "product": "MongoDB for VS Code", "versions": [{"status": "affected", "version": "MongoDB for VS Code", "versionType": "custom", "lessThanOrEqual": "0.7.0"}], "defaultStatus": "unaffected"}], "datePublic": "2022-01-20T00:00:00.000Z", "references": [{"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0", "tags": ["x_refsource_MISC"]}, {"url": "https://jira.mongodb.org/browse/VSCODE-313", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0", "supportingMedia": [{"type": "text/html", "value": "<p>Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T16:28:19.416Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "MongoDB for VS Code", "version_value": "0.7.0", "version_affected": "<="}]}, "product_name": "MongoDB for VS Code"}]}, "vendor_name": "MongoDB Inc."}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0", "name": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0", "refsource": "MISC"}, {"url": "https://jira.mongodb.org/browse/VSCODE-313", "name": "https://jira.mongodb.org/browse/VSCODE-313", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522: Insufficiently Protected Credentials"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-32039", "STATE": "PUBLIC", "TITLE": "MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text", "ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2022-01-20T18:13:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-32039", "state": "PUBLISHED", "dateUpdated": "2024-09-17T01:51:09.452Z", "dateReserved": "2021-05-05T00:00:00", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2022-01-20T14:50:10.319200Z", "assignerShortName": "mongodb"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:visual_studio_code:*:*", "matchCriteriaId": "AEB1AC25-4CF2-44D8-9EDA-4BA317A65158", "versionEndIncluding": "0.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0"}, {"lang": "es", "value": "Los usuarios con acceso apropiado a los archivos pueden ser capaces de acceder a las credenciales de usuario sin cifrar guardadas por MongoDB Extension for VS Code en un archivo binario. Estas credenciales pueden ser usadas por atacantes maliciosos para llevar a cabo acciones no autorizadas. Esta vulnerabilidad afecta a todas las extensiones de MongoDB para VS Code incluida y anterior a versi\u00f3n 0.7.0"}], "id": "CVE-2021-32039", "lastModified": "2024-09-17T02:15:44.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2022-01-20T15:15:07.893", "references": [{"source": "cna@mongodb.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/mongodb-js/vscode/releases/tag/v0.8.0"}, {"source": "cna@mongodb.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/VSCODE-313"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "cna@mongodb.com", "type": "Secondary"}]}