mongo-java-driver: client-side field level encryption not verifying KMS host name

Specific versions of the Java driver that support client-side field level encryption CSFLE fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffi...

UBUNTU-CVE-2021-20328

Specific versions of the Java driver that support client-side field level encryption CSFLE fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffi...

CVE-2021-20327 MongoDB Node.js client side field level encryption library may not be validating KMS certificate

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and th...

MongoDB Node.js client side field level encryption library may not be validating KMS certificate

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and th...

PT-2021-13887 · Unknown · Java Driver

Name of the Vulnerable Software and Affected Versions: Java driver versions that support client-side field level encryption CSFLE Description: The issue arises from the Java driver's failure to perform correct host name verification on the KMS server's certificate, which, in combination with a...

PT-2021-13886 · Mongodb · Mongodb-Client-Encryption

Name of the Vulnerable Software and Affected Versions: mongodb-client-encryption module version 1.2.0 Description: The issue arises from the mongodb-client-encryption module's failure to correctly validate the KMS server's certificate. This could allow an attacker with a privileged network positi...