Headline
CVE-2021-32050: System Dashboard - MongoDB Jira
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Welcome to MongoDB’s Issue Tracker****I am a customer. Where do I create a Support case?
- MongoDB customers should always use the Support Portal to obtain the fastest response and ensure privacy.
- MongoDB Cloud Manager or MongoDB Atlas customers should follow the Help link in Cloud Manager/ Atlas to create a ticket in the Support Portal.
I am not a customer. Where should I ask general product or support questions?
MongoDB team members are active in community forums and you can also benefit from the experience of other MongoDB users. You should also consult our excellent documentation.
- For general questions or community support use the MongoDB Community forums.
- StackExchange also has several sites with MongoDB topics:
- Stack Overflow (programming questions)
- DBA StackExchange (database administration questions)
- ServerFault (server and networking questions)
How do I create a feature request?
All MongoDB users can share your ideas via the MongoDB Feedback Engine.
Which JIRA project should I use to report bugs?
- To report potential bugs in the MongoDB database server, use Core Server (SERVER).
- For language-specific drivers (Java, C++, etc.), create a ticket for the relevant language driver.
- To report a product security vulnerability, use SECURITY, a confidential space private to you and our development team.
- Unless otherwise specified, comments and attachments in public projects will be visible to the public.
How can I follow or upvote an existing issue in JIRA?
If an issue already exists:
- Vote for that issue to show your support. Voting provides a helpful signal to help prioritize issues in the product/development roadmap.
- Watch an issue to subscribe to any future updates such as comments or changes in status.
Tips for creating issues
The more information you can provide, the easier it is for us to diagnose problems and provide support:
- Search to find if the issue you are reporting has been reported previously
- Include any statement or command that reproduces the issue you are experiencing
- Mention the specific version of the database, client, and driver you are using
- Include details about your environment, e.g. O/S, software platform, hardware, etc.
Receive release announcements from MongoDB
Sign up to be added to our product release announcements mailing list. You’ll receive notifications when new versions of MongoDB Enterprise Advanced, the BI Connector, Compass and Ops Manager become available.
Related news
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).