Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-32050: System Dashboard - MongoDB Jira

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVE
#vulnerability#nodejs#js#java#php#c++#auth#mongo#jira

Welcome to MongoDB’s Issue Tracker****I am a customer. Where do I create a Support case?

  • MongoDB customers should always use the Support Portal to obtain the fastest response and ensure privacy.
  • MongoDB Cloud Manager or MongoDB Atlas customers should follow the Help link in Cloud Manager/ Atlas to create a ticket in the Support Portal.

I am not a customer. Where should I ask general product or support questions?

MongoDB team members are active in community forums and you can also benefit from the experience of other MongoDB users. You should also consult our excellent documentation.

  • For general questions or community support use the MongoDB Community forums.
  • StackExchange also has several sites with MongoDB topics:
    • Stack Overflow (programming questions)
    • DBA StackExchange (database administration questions)
    • ServerFault (server and networking questions)

How do I create a feature request?

All MongoDB users can share your ideas via the MongoDB Feedback Engine.

Which JIRA project should I use to report bugs?

  • To report potential bugs in the MongoDB database server, use Core Server (SERVER).
  • For language-specific drivers (Java, C++, etc.), create a ticket for the relevant language driver.
  • To report a product security vulnerability, use SECURITY, a confidential space private to you and our development team.
  • Unless otherwise specified, comments and attachments in public projects will be visible to the public.

How can I follow or upvote an existing issue in JIRA?

If an issue already exists:

  • Vote for that issue to show your support. Voting provides a helpful signal to help prioritize issues in the product/development roadmap.
  • Watch an issue to subscribe to any future updates such as comments or changes in status.

Tips for creating issues

The more information you can provide, the easier it is for us to diagnose problems and provide support:

  • Search to find if the issue you are reporting has been reported previously
  • Include any statement or command that reproduces the issue you are experiencing
  • Mention the specific version of the database, client, and driver you are using
  • Include details about your environment, e.g. O/S, software platform, hardware, etc.

Receive release announcements from MongoDB

Sign up to be added to our product release announcements mailing list. You’ll receive notifications when new versions of MongoDB Enterprise Advanced, the BI Connector, Compass and Ops Manager become available.

Related news

GHSA-vxvm-qww3-2fh7: MongoDB Driver may publish events containing authentication-related data

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907