CVE-2021-20328

🗓️ 25 Feb 2021 16:30:14Reported by mongodbType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 120 Views

Specific versions of Java driver fail to perform correct host name verification on KMS server’s certificate, impacting Field Level Encryption effectiveness

Reporter	Title	Published	Views	Family All 35
IBM Security Bulletins	Security Bulletin: IBM Security Guardium is affected by a mongodb-driver-legacy-4.1.1.jar vulnerability (CVE-2021-20328)	20 Jun 202220:41	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image	17 Apr 202406:43	–	ibm
Circl	CVE-2021-20328	25 Feb 202120:37	–	circl
CNNVD	MongoDB Trust Management Issues Vulnerabilities	25 Feb 202100:00	–	cnnvd
Cvelist	CVE-2021-20328 MongoDB Java driver client-side field level encryption not verifying KMS host name	25 Feb 202116:30	–	cvelist
Debian CVE	CVE-2021-20328	25 Feb 202116:30	–	debiancve
EUVD	EUVD-2022-5169	3 Oct 202520:07	–	euvd
Github Security Blog	Improper Certificate Validation in MongoDB	24 May 202222:28	–	github
MongoDB	MongoDB Java driver client-side field level encryption not verifying KMS host name	25 Feb 202100:00	–	mongodb
NCSC	Vulnerabilities fixed in MongoDB	26 Feb 202100:00	–	ncsc

NVD

Node

mongodb java_driverRange3.11.0–3.11.3mongodb

mongodb java_driverRange3.12.0–3.12.8mongodb

mongodb java_driverRange4.0.0–4.0.6mongodb

mongodb java_driverRange4.1.0–4.1.2mongodb

mongodb java_driverRange4.2.0–4.2.1mongodb

Node

quarkus quarkusRange<1.13.3

quarkus quarkusMatch1.13.3

[
  {
    "defaultStatus": "unaffected",
    "product": "mongo-java-driver",
    "vendor": "MongoDB Inc.",
    "versions": [
      {
        "lessThanOrEqual": "3.11.2",
        "status": "affected",
        "version": "3.11",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "3.12.7",
        "status": "affected",
        "version": "3.12",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "mongodb-driver",
    "vendor": "MongoDB Inc.",
    "versions": [
      {
        "lessThanOrEqual": "3.11.2",
        "status": "affected",
        "version": "3.11",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "3.12.7",
        "status": "affected",
        "version": "3.12",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "mongodb-driver-sync",
    "vendor": "MongoDB Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "4.2.0"
      },
      {
        "lessThanOrEqual": "3.11.2",
        "status": "affected",
        "version": "3.11",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "3.12.7",
        "status": "affected",
        "version": "3.12",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.0.5",
        "status": "affected",
        "version": "4.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.1.1",
        "status": "affected",
        "version": "4.1",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "mongodb-driver-legacy",
    "vendor": "MongoDB Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "4.2.0"
      },
      {
        "lessThanOrEqual": "3.11.2",
        "status": "affected",
        "version": "3.11",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "3.12.7",
        "status": "affected",
        "version": "3.12",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.0.5",
        "status": "affected",
        "version": "4.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.1.1",
        "status": "affected",
        "version": "4.1",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
jira	www.jira.mongodb.org/browse/JAVA-4017

21 Nov 2024 05:46Current

6.4Medium risk

Vulners AI Score6.4

CVSS 24.3

CVSS 3.16.4 - 6.8

EPSS0.00129

SSVC

CWE-295