MongoDB C# Driver Risk of Exposing Authentication Data via Command Listener
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Jan 23, 2024
Description
Published by the National Vulnerability Database
May 13, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Dec 20, 2023
Last updated
Jan 23, 2024
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1.
References