SCA: security update for mongodb-client-encryption (GHSA-rjmf-p882-645m)

medium Tenable Self-Hosted Container Security Plugin ID 418786

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of
the KMS server’s certificate. This vulnerability in combination with a privileged network position active
MITM attack could result in interception of traffic between the Node.js driver and the KMS service
rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during
internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from
2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver
traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and
Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver
workloads that don’t use Field Level Encryption. This issue affect MongoDB Node.js Driver mongodb-client-
encryption module version 1.2.0 (CVE-2021-20327)

See Also

https://github.com/advisories/GHSA-rjmf-p882-645m

Plugin Details

Severity: Medium

ID: 418786

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2021-20327

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/12/2021

Vulnerability Publication Date: 2/25/2021

Reference Information

CVE: CVE-2021-20327

cwe: CWE-295