CVE-2021-32050 — MEDIUM (4.2)

Q: How severe is CVE-2021-32050?

CVE-2021-32050 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32050?

Check the references section above for vendor advisories and patch information. Affected products include: Mongodb C\+\+, Mongodb C Driver, Mongodb Node.Js, Mongodb Php Driver, Mongodb Swift Driver.

Vulnerability Description

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVSS Score

4.2

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Mongodb	C\+\+	>= 1.0.0, < 1.17.7
Mongodb	C Driver	>= 1.0.0, < 1.17.7
Mongodb	Node.Js	>= 3.6, < 3.6.10
Mongodb	Php Driver	>= 1.0.0, < 1.9.2
Mongodb	Swift Driver	>= 1.0.0, < 1.1.1

Related Weaknesses (CWE)

CWE-532 CWE-200

References

https://jira.mongodb.org/browse/CDRIVER-3797Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/CXX-2028Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/NODE-3356Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/PHPC-1869Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/SWIFT-1229Issue Tracking
https://security.netapp.com/advisory/ntap-20231006-0001/
https://jira.mongodb.org/browse/CDRIVER-3797Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/CXX-2028Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/NODE-3356Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/PHPC-1869Issue TrackingPatchVendor Advisory
https://jira.mongodb.org/browse/SWIFT-1229Issue Tracking
https://lists.debian.org/debian-lts-announce/2025/05/msg00027.html
https://security.netapp.com/advisory/ntap-20231006-0001/

FAQ

What is CVE-2021-32050?

CVE-2021-32050 is a vulnerability with a CVSS score of 4.2 (MEDIUM). Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data ...

How severe is CVE-2021-32050?

CVE-2021-32050 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32050?

Check the references section above for vendor advisories and patch information. Affected products include: Mongodb C\+\+, Mongodb C Driver, Mongodb Node.Js, Mongodb Php Driver, Mongodb Swift Driver.