Vulnerability Report: GO-2021-0112
- CVE-2021-20329, GHSA-f6mq-5m25-4r72
- Affects: go.mongodb.org/mongo-driver
- Published: Jul 28, 2021
- Modified: Jun 12, 2023
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are affected if they use this package to handle untrusted user input.
Affected Packages
-
PathVersionsSymbols
-
before v1.5.1
76 affected symbols
- AppendArrayElement
- AppendArrayElementStart
- AppendBinaryElement
- AppendBooleanElement
- AppendCodeWithScopeElement
- AppendDBPointerElement
- AppendDateTimeElement
- AppendDecimal128Element
- AppendDocumentElement
- AppendDocumentElementStart
- AppendDoubleElement
- AppendHeader
- AppendInt32Element
- AppendInt64Element
- AppendJavaScriptElement
- AppendMaxKeyElement
- AppendMinKeyElement
- AppendNullElement
- AppendObjectIDElement
- AppendRegex
- AppendRegexElement
- AppendStringElement
- AppendSymbolElement
- AppendTimeElement
- AppendTimestampElement
- AppendUndefinedElement
- AppendValueElement
- ArrayBuilder.AppendArray
- ArrayBuilder.AppendBinary
- ArrayBuilder.AppendBoolean
- ArrayBuilder.AppendCodeWithScope
- ArrayBuilder.AppendDBPointer
- ArrayBuilder.AppendDateTime
- ArrayBuilder.AppendDecimal128
- ArrayBuilder.AppendDocument
- ArrayBuilder.AppendDouble
- ArrayBuilder.AppendInt32
- ArrayBuilder.AppendInt64
- ArrayBuilder.AppendJavaScript
- ArrayBuilder.AppendMaxKey
- ArrayBuilder.AppendMinKey
- ArrayBuilder.AppendNull
- ArrayBuilder.AppendObjectID
- ArrayBuilder.AppendRegex
- ArrayBuilder.AppendString
- ArrayBuilder.AppendSymbol
- ArrayBuilder.AppendTimestamp
- ArrayBuilder.AppendUndefined
- ArrayBuilder.AppendValue
- ArrayBuilder.StartArray
- BuildArray
- BuildArrayElement
- BuildDocumentElement
- DocumentBuilder.AppendArray
- DocumentBuilder.AppendBinary
- DocumentBuilder.AppendBoolean
- DocumentBuilder.AppendCodeWithScope
- DocumentBuilder.AppendDBPointer
- DocumentBuilder.AppendDateTime
- DocumentBuilder.AppendDecimal128
- DocumentBuilder.AppendDocument
- DocumentBuilder.AppendDouble
- DocumentBuilder.AppendInt32
- DocumentBuilder.AppendInt64
- DocumentBuilder.AppendJavaScript
- DocumentBuilder.AppendMaxKey
- DocumentBuilder.AppendMinKey
- DocumentBuilder.AppendNull
- DocumentBuilder.AppendObjectID
- DocumentBuilder.AppendRegex
- DocumentBuilder.AppendString
- DocumentBuilder.AppendSymbol
- DocumentBuilder.AppendTimestamp
- DocumentBuilder.AppendUndefined
- DocumentBuilder.AppendValue
- DocumentBuilder.StartDocument
-
before v1.5.1
13 affected symbols
- Copier.AppendArrayBytes
- Copier.AppendDocumentBytes
- Copier.AppendValueBytes
- Copier.CopyArrayFromBytes
- Copier.CopyBytesToArrayWriter
- Copier.CopyBytesToDocumentWriter
- Copier.CopyDocument
- Copier.CopyDocumentFromBytes
- Copier.CopyDocumentToBytes
- Copier.CopyValue
- Copier.CopyValueFromBytes
- Copier.CopyValueToBytes
- CopyDocument
Aliases
References
- https://github.com/mongodb/mongo-go-driver/pull/622
- https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
- https://jira.mongodb.org/browse/GODRIVER-1923
- https://vuln.go.dev/ID/GO-2021-0112.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.