Source: node-mongodb X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for node-mongodb. CVE-2021-32050[0]: | Some MongoDB Drivers may erroneously publish events containing | authentication-related data to a command listener configured by an | application. The published events may contain security-sensitive | data when specific authentication-related commands are executed. | Without due care, an application may inadvertently expose this | sensitive information, e.g., by writing it to a log file. This issue | only arises if an application enables the command listener feature | (this is not enabled by default). This issue affects the MongoDB C | Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to | 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js | Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to | 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue | also affects users of the MongoDB C++ Driver dependent on the C | driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0). https://jira.mongodb.org/browse/NODE-3356 https://github.com/mongodb/node-mongodb-native/commit/8c8b4c3b8c55f10fb96f63d3bbfa5d408b4ed7d0 https://github.com/mongodb/node-mongodb-native/commit/b98f2061de9e8b0a814e3e7d39a0e914245953d0 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32050 https://www.cve.org/CVERecord?id=CVE-2021-32050 Please adjust the affected versions in the BTS as needed.
