Debian Bug report logs -
#1052663
node-mongodb: CVE-2021-32050
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1052663; Package src:node-mongodb.
(Mon, 25 Sep 2023 21:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Mon, 25 Sep 2023 21:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-mongodb
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-mongodb.
CVE-2021-32050[0]:
| Some MongoDB Drivers may erroneously publish events containing
| authentication-related data to a command listener configured by an
| application. The published events may contain security-sensitive
| data when specific authentication-related commands are executed.
| Without due care, an application may inadvertently expose this
| sensitive information, e.g., by writing it to a log file. This issue
| only arises if an application enables the command listener feature
| (this is not enabled by default). This issue affects the MongoDB C
| Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to
| 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js
| Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to
| 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue
| also affects users of the MongoDB C++ Driver dependent on the C
| driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
https://jira.mongodb.org/browse/NODE-3356
https://github.com/mongodb/node-mongodb-native/commit/8c8b4c3b8c55f10fb96f63d3bbfa5d408b4ed7d0
https://github.com/mongodb/node-mongodb-native/commit/b98f2061de9e8b0a814e3e7d39a0e914245953d0
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32050
https://www.cve.org/CVERecord?id=CVE-2021-32050
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 26 Sep 2023 03:57:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 26 17:53:33 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon