Uploaded image for project: 'Rust Driver'
  1. Rust Driver
  2. RUST-591

ConnectionPoolOptions is used for event monitoring and pool internals

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 2.0.0-beta
    • Affects Version/s: 1.2.1, 2.0.0-alpha.1
    • Component/s: None
    • Labels:

      There are a few significant issues with the ConnectionPoolOptions type due to how its used both for internal options managing and external event monitoring:

      • It's not non_exhaustive but has all pub fields, meaning adding a new one is technically a breaking change
      • It stores the user's credentials, which is an easy way for db credentials to be leaked to system logs.

      To solve these issues and prevent them from surfacing in the future, we'd need to use a new type for internal pool options tracking, mark ConnectionPoolOptions as non_exhaustive, and deprecate and/or redact the credential field. The non_exhaustive change is technically breaking and the credential would could behaviorally break things, though there is precedent for making similar changes in the past.


      CVE ID: CVE-2021-20332

      Title: MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application


      Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default.

      CVSS Score: 



      CWE ID: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 

      Exact affected versions:
      MongoDB Rust Driver 1.0.0 through 1.2.1 (inclusive)
      MongoDB Rust Driver 2.0.0-alpha
      MongoDB Rust Driver 2.0.0-alpha1


      Underlying operating systems affected: All 

            patrick.freed@mongodb.com Patrick Freed
            patrick.freed@mongodb.com Patrick Freed
            0 Vote for this issue
            2 Start watching this issue