| Package | mongo-c-driver |
|---|---|
| Version | 1.14.0-1+deb10u1 (buster) |
| Related CVEs | CVE-2021-32050 CVE-2023-0437 CVE-2024-6381 CVE-2024-6383 CVE-2025-0755 |
Multiple vulnerabilities have been discovered in the MongoDB C Driver.
CVE-2021-32050
Some MongoDB Drivers may erroneously publish events containing
authentication-related data to a command listener configured by an
application. The published events may contain security-sensitive
data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this
sensitive information, e.g., by writing it to a log file. This issue
only arises if an application enables the command listener feature
(this is not enabled by default).
CVE-2023-0437
When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.
CVE-2024-6381
The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.
CVE-2024-6383
The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.
CVE-2025-0755
The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.
For Debian 10 buster, these problems have been fixed in version 1.14.0-1+deb10u1.
We recommend that you upgrade your mongo-c-driver packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.