Uploaded image for project: 'VS Code Extension'
  1. VS Code Extension
  2. VSCODE-311 Use new data service and connection model
  3. VSCODE-313

Use the connection-secrets module to protect all secrets

XMLWordPrintableJSON

    • Type: Icon: Sub-task Sub-task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 0.8.0
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Not Needed
    • Iteration Reno, Iteration Seoul

      CVE-2021-32039

      Title
      MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text

      CVE ID
      CVE-2021-32039

      Description

      Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0 

      CVSS score
      This issue's CVSS:3.1 severity is scored at 5.5 using the following scoring metrics:
      CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

      Affected versions
      All versions of MongoDB for VS Code up to and including v0.7.0 

      CWE
      CWE-522: Insufficiently Protected Credentials

      Underlying operating systems affected
      ALL

      How the issue was reported:
      Internally

      External Reference link 
      VSCODE-311 

      https://github.com/mongodb-js/vscode/releases/tag/v0.8.0

            Assignee:
            alena.khineika@mongodb.com Alena Khineika
            Reporter:
            alena.khineika@mongodb.com Alena Khineika
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: