{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "2.12.0"
              },
              {
                "fixed": "2.12.2"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "2.11.0-NA"
              }
            ]
          },
          "events": [
            {
              "introduced": "e75af27dc5966e9315d04f73ffa2c42549318a02"
            },
            {
              "fixed": "a4a3888f4fb51bb518b1eb5002effc2d47f2ea6a"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "cb27a82ea70620ad1acad8058809be8302ae4f2a"
            }
          ],
          "repo": "https://github.com/mongodb/mongo-csharp-driver",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as \"saslStart\", \"saslContinue\", \"isMaster\", \"createUser\", and \"updateUser\" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver v2.12 versions prior to and including 2.12.1.",
  "id": "CVE-2021-20331",
  "modified": "2026-03-13T21:56:51.840751626Z",
  "published": "2021-05-13T08:15:06.557Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://jira.mongodb.org/browse/CSHARP-3521"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}