CVE-2021-32050
Information Disclosure vulnerability in mongodb/mongodb (Packagist)

Information Disclosure No known exploit Fixable By Resolved Security

What is CVE-2021-32050 About?

This vulnerability is an Information Disclosure in several MongoDB Drivers that can erroneously publish authentication-related data to a configured command listener. If an application enables this listener (not by default) and doesn't handle sensitive data carefully, authentication details could be logged or exposed. Exploitation is limited by the non-default configuration but can lead to severe information leakage.

Affected Software

  • mongodb/mongodb
    • >1.0.0, <1.9.2
  • mongodb
    • >4.0.0, <4.17.0
    • >3.6.0, <3.6.10
    • >5.0.0, <5.8.0
  • github.com/mongodb/mongo-swift-driver
    • >1.0.0, <1.1.1

Technical Details

The vulnerability pertains to various MongoDB Drivers (C, PHP, Swift, Node.js, C++) where, under specific conditions, authentication-related data can be inadvertently published to a command listener. This issue arises when an application explicitly configures and enables a command listener, which is not activated by default. When certain authentication commands are executed, the driver's event publishing mechanism erroneously includes sensitive authentication data (e.g., credentials, tokens) within the published events. If the application does not exercise due care in handling these events (e.g., logging them directly without scrubbing sensitive fields), this security-sensitive data can be written to logs or exposed through other means, leading to an information disclosure.

What is the Impact of CVE-2021-32050?

Successful exploitation may allow attackers to gain access to sensitive authentication-related data, potentially leading to unauthorized access to the database or associated systems.

What is the Exploitability of CVE-2021-32050?

Exploitation of this Information Disclosure vulnerability is of moderate complexity and requires specific configuration. It is primarily a local vulnerability, or an internal one if the logs are exposed remotely. Exploitation requires that the application using the vulnerable MongoDB driver has explicitly enabled the command listener feature, which is not on by default. There are no direct authentication or privilege requirements for an external attacker to trigger the event, but access to the logs or output of the command listener is necessary to exploit the leaked information. The risk factor is significantly increased in environments where command listeners are active and logs are not securely managed or are accessible to unauthorized parties.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2021-32050?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch redacts sensitive credential information from the options property exposed via ConnectionPoolCreatedEvent by replacing any present credentials with an empty object before emitting the event. This prevents the accidental exposure of authentication details through event listeners, logs, or debugging tools, fixing CVE-2021-32050, which allowed sensitive data to be disclosed via connection pool monitoring events. The change ensures only non-sensitive configuration options are accessible externally.

Available Upgrade Options

  • mongodb/mongodb
    • >1.0.0, <1.9.2 → Upgrade to 1.9.2
  • github.com/mongodb/mongo-swift-driver
    • >1.0.0, <1.1.1 → Upgrade to 1.1.1
  • mongodb
    • >3.6.0, <3.6.10 → Upgrade to 3.6.10
  • mongodb
    • >4.0.0, <4.17.0 → Upgrade to 4.17.0
  • mongodb
    • >5.0.0, <5.8.0 → Upgrade to 5.8.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-32050?

Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-44228 , CVE-2020-5407 , CVE-2018-1258 , CVE-2023-28432

All Rights reserved 2025
Privacy Policy