CVE-2021-20329: go.mongodb.org/mongo-driver improperly validates cstrings when marshalling Go objects into BSON
(updated )
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.
References
- github.com/advisories/GHSA-f6mq-5m25-4r72
- github.com/mongodb/mongo-go-driver
- github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
- github.com/mongodb/mongo-go-driver/pull/622
- github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1
- jira.mongodb.org/browse/GODRIVER-1923
- nvd.nist.gov/vuln/detail/CVE-2021-20329
- pkg.go.dev/vuln/GO-2021-0112
Detect and mitigate CVE-2021-20329 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →