Vulnerability Details : CVE-2021-20332
Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default. This issue affects MongoDB Rust Driver version 2.0.0-alpha, MongoDB Rust Driver version 2.0.0-alpha1 and MongoDB Rust Driver version 1.0.0 through to and including 1.2.1
Products affected by CVE-2021-20332
- Mongodb » Rust Driver » For MongodbVersions from including (>=) 1.0.0 and up to, including, (<=) 1.2.1cpe:2.3:a:mongodb:rust_driver:*:*:*:*:*:mongodb:*:*
- cpe:2.3:a:mongodb:rust_driver:2.0.0:alpha:*:*:*:mongodb:*:*
- cpe:2.3:a:mongodb:rust_driver:2.0.0:alpha1:*:*:*:mongodb:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-20332
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20332
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
4.2
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N |
0.6
|
3.6
|
MongoDB, Inc. | |
4.4
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
0.8
|
3.6
|
NIST |
CWE ids for CVE-2021-20332
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: cna@mongodb.com (Secondary)
References for CVE-2021-20332
-
https://jira.mongodb.org/browse/RUST-591
[RUST-591] ConnectionPoolOptions is used for event monitoring and pool internals - MongoDB JiraPatch;Vendor Advisory
Jump to