We use cookies to improve your experience on our site.
AVID-2026-R0712
Description
MongoDB Node.js client side field level encryption library may not be validating KMS certificate (CVE-2021-20327)
Details
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. This issue affect MongoDB Node.js Driver mongodb-client-encryption module version 1.2.0
Reason for inclusion in AVID: CVE-2021-20327 describes a flaw in the mongodb-client-encryption Node.js module (1.2.0) where KMS server certificate validation is improper, enabling potential MITM to intercept encryption key traffic and undermine client-side field-level encryption (CSFLE). This is a software vulnerability in a dependency used in Node.js environments. Such a library can be part of AI data pipelines and deployment stacks (e.g., data storage/encryption for AI workloads), making it a relevant supply-chain item for general-purpose AI systems. Therefore, it should be considered a vulnerability in the GP AI software supply chain.
References
Affected or Relevant Artifacts
- Developer: MongoDB Inc.
- Deployer: MongoDB Inc.
- Artifact Details:
| Type | Name |
|---|---|
| System | MongoDB Node.js Driver mongodb-client-encryption module |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Base Score | 6.4 |
| Base Severity | 🟠 Medium |
| Attack Vector | ADJACENT_NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-295 | CWE-295 Improper Certificate Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-02-25
- Version: 0.3.3
- AVID Entry