CVE-2021-20328 – org.mongodb:mongodb-driver

Package

Manager: maven
Name: org.mongodb:mongodb-driver
Vulnerable Version: >=3.11.0 <3.11.3 || >=3.12.0 <3.12.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00129 pctl0.33073

Details

Improper Certificate Validation in MongoDB Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.

Metadata

Created: 2022-05-24T22:28:56Z
Modified: 2024-02-13T19:27:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rghw-6px2-fgwc/GHSA-rghw-6px2-fgwc.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-rghw-6px2-fgwc
Finding: F163
Auto approve: 1