CVE-2021-20332: Exposure of Sensitive Information to an Unauthorized Actor in MongoDB Rust Driver

May 24, 2022 (updated June 17, 2022)

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user’s logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default.

References

github.com/advisories/GHSA-4rjr-3gj2-5crq
github.com/mongodb/mongo-rust-driver
github.com/mongodb/mongo-rust-driver/commit/9e8782b1bb1104e5399c073b553719c262d4463c
jira.mongodb.org/browse/RUST-591
nvd.nist.gov/vuln/detail/CVE-2021-20332

Code Behaviors & Features

Detect and mitigate CVE-2021-20332 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →