Vulnerability Report: GO-2021-0112

CVE-2021-20329, GHSA-f6mq-5m25-4r72
Affects: go.mongodb.org/mongo-driver
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are affected if they use this package to handle untrusted user input.

Affected Packages

Path

Go Versions

Symbols
go.mongodb.org/mongo-driver/x/bsonx/bsoncore

before v1.5.1
76 affected symbols
go.mongodb.org/mongo-driver/bson/bsonrw

before v1.5.1
13 affected symbols

Aliases

CVE-2021-20329
GHSA-f6mq-5m25-4r72

References

https://github.com/mongodb/mongo-go-driver/pull/622
https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
https://jira.mongodb.org/browse/GODRIVER-1923
https://vuln.go.dev/ID/GO-2021-0112.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL