Vulnerabilites related to mongodb - java_driver
Vulnerability from fkie_nvd
Published
2021-02-25 17:15
Modified
2024-11-21 05:46
Severity ?
6.4 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/JAVA-4017 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/JAVA-4017 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| quarkus | quarkus | * | |
| quarkus | quarkus | 1.13.3 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "A7269E59-8D72-4459-92D0-C7B725ED290A", versionEndExcluding: "3.11.3", versionStartIncluding: "3.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "564EEC7B-9969-45F8-A358-8034DCEDCE5E", versionEndExcluding: "3.12.8", versionStartIncluding: "3.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "97F149A2-F169-40CB-974D-91C6AB2D49DD", versionEndExcluding: "4.0.6", versionStartIncluding: "4.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "B7E4EF7D-C0F9-4B91-B7FE-5295F91AA108", versionEndExcluding: "4.1.2", versionStartIncluding: "4.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "482332D0-4581-459D-A187-063F5BDEA2FF", versionEndExcluding: "4.2.1", versionStartIncluding: "4.2.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "DA5D8178-3D1D-4AFE-80A3-7B68BF24E420", versionEndExcluding: "1.13.3", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:1.13.3:*:*:*:*:*:*:*", matchCriteriaId: "9EEC47CA-B2E0-437D-B8BF-C0DA5713BFB1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.", }, { lang: "es", value: "Las versiones específicas del controlador de Java que soportan el client-side field level encryption (CSFLE) presentan un fallo al realizar una comprobación correcta del nombre del host en el certificado del servidor KMS. Esta vulnerabilidad, en combinación con un ataque MITM activo en una posición de red privilegiada, podría resultar en una interceptación del tráfico entre el controlador de Java y el servicio KMS, haciendo que el cifrado a nivel de campo sea ineficaz. Este problema se detectó durante las pruebas internas y afecta a todas las versiones del controlador de Java que soportan CSFLE. Los controladores Java async, Scala y flujos reactivos no están afectados. Esta vulnerabilidad no afecta a las cargas de tráfico del controlador con servicios clave compatibles con CSFLE que se originan en aplicaciones que residen dentro de los tejidos de red de AWS, GCP y Azure debido a los controles de compensación en estos entornos. Este problema no afecta a las cargas de trabajo de los controladores que no usan Field Level Encryption", }, ], id: "CVE-2021-20328", lastModified: "2024-11-21T05:46:23.270", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 5.5, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 5.2, source: "cna@mongodb.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-02-25T17:15:28.303", references: [ { source: "cna@mongodb.com", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], sourceIdentifier: "cna@mongodb.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "cna@mongodb.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2021-20328
Vulnerability from cvelistv5
Published
2021-02-25 16:30
Modified
2024-09-16 19:10
Severity ?
EPSS score ?
Summary
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/JAVA-4017 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | MongoDB Inc. | mongo-java-driver |
Version: 3.11 < Version: 3.12 < |
||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:37:24.117Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", ], defaultStatus: "unaffected", product: "java_driver", vendor: "mongodb", versions: [ { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2021-20328", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-02-13T16:48:15.681647Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-15T17:36:34.465Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "mongo-java-driver", vendor: "MongoDB Inc.", versions: [ { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, ], }, { defaultStatus: "unaffected", product: "mongodb-driver", vendor: "MongoDB Inc.", versions: [ { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, ], }, { defaultStatus: "unaffected", product: "mongodb-driver-sync", vendor: "MongoDB Inc.", versions: [ { status: "affected", version: "4.2.0", }, { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, { lessThanOrEqual: "4.0.5", status: "affected", version: "4.0", versionType: "custom", }, { lessThanOrEqual: "4.1.1", status: "affected", version: "4.1", versionType: "custom", }, ], }, { defaultStatus: "unaffected", product: "mongodb-driver-legacy", vendor: "MongoDB Inc.", versions: [ { status: "affected", version: "4.2.0", }, { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, { lessThanOrEqual: "4.0.5", status: "affected", version: "4.0", versionType: "custom", }, { lessThanOrEqual: "4.1.1", status: "affected", version: "4.1", versionType: "custom", }, ], }, ], datePublic: "2021-02-25T00:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.</p>", }, ], value: "Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T13:39:14.648Z", orgId: "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", shortName: "mongodb", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], source: { discovery: "INTERNAL", }, title: "MongoDB Java driver client-side field level encryption not verifying KMS host name", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@mongodb.com", DATE_PUBLIC: "2021-02-25T17:00:00.000Z", ID: "CVE-2021-20328", STATE: "PUBLIC", TITLE: "MongoDB Java driver client-side field level encryption not verifying KMS host name", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "mongo-java-driver", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, ], }, }, { product_name: "mongodb-driver", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, ], }, }, { product_name: "mongodb-driver-sync", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, { version_affected: "<=", version_name: "4.0", version_value: "4.0.5", }, { version_affected: "<=", version_name: "4.1", version_value: "4.1.1", }, { version_affected: "=", version_name: "4.2", version_value: "4.2.0", }, ], }, }, { product_name: "mongodb-driver-legacy", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, { version_affected: "<=", version_name: "4.0", version_value: "4.0.5", }, { version_affected: "<=", version_name: "4.1", version_value: "4.1.1", }, { version_affected: "=", version_name: "4.2", version_value: "4.2.0", }, ], }, }, ], }, vendor_name: "MongoDB Inc.", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-295 Improper Certificate Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://jira.mongodb.org/browse/JAVA-4017", refsource: "MISC", url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], }, source: { discovery: "INTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", assignerShortName: "mongodb", cveId: "CVE-2021-20328", datePublished: "2021-02-25T16:30:14.536970Z", dateReserved: "2020-12-17T00:00:00", dateUpdated: "2024-09-16T19:10:28.653Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }