CVE-2021-32050: 
JavaScript vulnerability analysis and mitigation

CVE-2021-32050 is a security vulnerability affecting multiple MongoDB Drivers where events containing authentication-related data may be erroneously published to a command listener configured by an application. The vulnerability was discovered internally and disclosed in August 2023. The affected versions include MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver versions 3.6 prior to 3.6.10, 4.0 prior to 4.17.0, and 5.0 prior to 5.8.0, as well as MongoDB C++ Driver prior to 3.7.0 (NVD Database).

The vulnerability occurs when security-sensitive data from authentication-related commands is exposed through command listener events. This issue only manifests when an application explicitly enables the command listener feature, which is not enabled by default. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, though MongoDB's own assessment rates it at 4.2 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File) (NVD Database).

The primary impact of this vulnerability is the potential disclosure of sensitive information. If exploited, an application may inadvertently expose security-sensitive data, particularly when writing command listener events to log files. This could lead to the compromise of authentication-related information (MongoDB JIRA).

Fixed versions have been released for all affected drivers: MongoDB C Driver 1.17.7, PHP Driver 1.9.2, Swift Driver 1.1.1, Node.js Driver 3.6.10/4.17.0/5.8.0, and C++ Driver 3.7.0. Users are advised to upgrade to these or later versions to address the vulnerability. Since the issue only affects applications with enabled command listeners, disabling this feature can serve as a temporary workaround (MongoDB JIRA).