Uploaded image for project: 'Rust Driver'
  1. Rust Driver
  2. RUST-591

ConnectionPoolOptions is used for event monitoring and pool internals

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 2.0.0-beta
    • Affects Version/s: 1.2.1, 2.0.0-alpha.1
    • Component/s: None

      There are a few significant issues with the ConnectionPoolOptions type due to how its used both for internal options managing and external event monitoring:

      • It's not non_exhaustive but has all pub fields, meaning adding a new one is technically a breaking change
      • It stores the user's credentials, which is an easy way for db credentials to be leaked to system logs.

      To solve these issues and prevent them from surfacing in the future, we'd need to use a new type for internal pool options tracking, mark ConnectionPoolOptions as non_exhaustive, and deprecate and/or redact the credential field. The non_exhaustive change is technically breaking and the credential would could behaviorally break things, though there is precedent for making similar changes in the past.

       

      CVE ID: CVE-2021-20332

      Title: MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application

      Description:

      Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default.

      CVSS Score: 

      4.2

      CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

      CWE ID: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 

      Exact affected versions:
      MongoDB Rust Driver 1.0.0 through 1.2.1 (inclusive)
      MongoDB Rust Driver 2.0.0-alpha
      MongoDB Rust Driver 2.0.0-alpha1

       

      Underlying operating systems affected: All 

            Assignee:
            patrick.freed@mongodb.com Patrick Freed
            Reporter:
            patrick.freed@mongodb.com Patrick Freed
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: