| { |
| "schema_version": "1.3.1", |
| "id": "GO-2021-0112", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "2021-07-28T18:08:05Z", |
| "aliases": [ |
| "CVE-2021-20329", |
| "GHSA-f6mq-5m25-4r72" |
| ], |
| "summary": "Improper input validation in go.mongodb.org/mongo-driver", |
| "details": "Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are affected if they use this package to handle untrusted user input.", |
| "affected": [ |
| { |
| "package": { |
| "name": "go.mongodb.org/mongo-driver", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.5.1" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "go.mongodb.org/mongo-driver/x/bsonx/bsoncore", |
| "symbols": [ |
| "AppendArrayElement", |
| "AppendArrayElementStart", |
| "AppendBinaryElement", |
| "AppendBooleanElement", |
| "AppendCodeWithScopeElement", |
| "AppendDBPointerElement", |
| "AppendDateTimeElement", |
| "AppendDecimal128Element", |
| "AppendDocumentElement", |
| "AppendDocumentElementStart", |
| "AppendDoubleElement", |
| "AppendHeader", |
| "AppendInt32Element", |
| "AppendInt64Element", |
| "AppendJavaScriptElement", |
| "AppendMaxKeyElement", |
| "AppendMinKeyElement", |
| "AppendNullElement", |
| "AppendObjectIDElement", |
| "AppendRegex", |
| "AppendRegexElement", |
| "AppendStringElement", |
| "AppendSymbolElement", |
| "AppendTimeElement", |
| "AppendTimestampElement", |
| "AppendUndefinedElement", |
| "AppendValueElement", |
| "ArrayBuilder.AppendArray", |
| "ArrayBuilder.AppendBinary", |
| "ArrayBuilder.AppendBoolean", |
| "ArrayBuilder.AppendCodeWithScope", |
| "ArrayBuilder.AppendDBPointer", |
| "ArrayBuilder.AppendDateTime", |
| "ArrayBuilder.AppendDecimal128", |
| "ArrayBuilder.AppendDocument", |
| "ArrayBuilder.AppendDouble", |
| "ArrayBuilder.AppendInt32", |
| "ArrayBuilder.AppendInt64", |
| "ArrayBuilder.AppendJavaScript", |
| "ArrayBuilder.AppendMaxKey", |
| "ArrayBuilder.AppendMinKey", |
| "ArrayBuilder.AppendNull", |
| "ArrayBuilder.AppendObjectID", |
| "ArrayBuilder.AppendRegex", |
| "ArrayBuilder.AppendString", |
| "ArrayBuilder.AppendSymbol", |
| "ArrayBuilder.AppendTimestamp", |
| "ArrayBuilder.AppendUndefined", |
| "ArrayBuilder.AppendValue", |
| "ArrayBuilder.StartArray", |
| "BuildArray", |
| "BuildArrayElement", |
| "BuildDocumentElement", |
| "DocumentBuilder.AppendArray", |
| "DocumentBuilder.AppendBinary", |
| "DocumentBuilder.AppendBoolean", |
| "DocumentBuilder.AppendCodeWithScope", |
| "DocumentBuilder.AppendDBPointer", |
| "DocumentBuilder.AppendDateTime", |
| "DocumentBuilder.AppendDecimal128", |
| "DocumentBuilder.AppendDocument", |
| "DocumentBuilder.AppendDouble", |
| "DocumentBuilder.AppendInt32", |
| "DocumentBuilder.AppendInt64", |
| "DocumentBuilder.AppendJavaScript", |
| "DocumentBuilder.AppendMaxKey", |
| "DocumentBuilder.AppendMinKey", |
| "DocumentBuilder.AppendNull", |
| "DocumentBuilder.AppendObjectID", |
| "DocumentBuilder.AppendRegex", |
| "DocumentBuilder.AppendString", |
| "DocumentBuilder.AppendSymbol", |
| "DocumentBuilder.AppendTimestamp", |
| "DocumentBuilder.AppendUndefined", |
| "DocumentBuilder.AppendValue", |
| "DocumentBuilder.StartDocument" |
| ] |
| }, |
| { |
| "path": "go.mongodb.org/mongo-driver/bson/bsonrw", |
| "symbols": [ |
| "Copier.AppendArrayBytes", |
| "Copier.AppendDocumentBytes", |
| "Copier.AppendValueBytes", |
| "Copier.CopyArrayFromBytes", |
| "Copier.CopyBytesToArrayWriter", |
| "Copier.CopyBytesToDocumentWriter", |
| "Copier.CopyDocument", |
| "Copier.CopyDocumentFromBytes", |
| "Copier.CopyDocumentToBytes", |
| "Copier.CopyValue", |
| "Copier.CopyValueFromBytes", |
| "Copier.CopyValueToBytes", |
| "CopyDocument", |
| "valueWriter.WriteArray", |
| "valueWriter.WriteBinary", |
| "valueWriter.WriteBinaryWithSubtype", |
| "valueWriter.WriteBoolean", |
| "valueWriter.WriteCodeWithScope", |
| "valueWriter.WriteDBPointer", |
| "valueWriter.WriteDateTime", |
| "valueWriter.WriteDecimal128", |
| "valueWriter.WriteDocument", |
| "valueWriter.WriteDouble", |
| "valueWriter.WriteInt32", |
| "valueWriter.WriteInt64", |
| "valueWriter.WriteJavascript", |
| "valueWriter.WriteMaxKey", |
| "valueWriter.WriteMinKey", |
| "valueWriter.WriteNull", |
| "valueWriter.WriteObjectID", |
| "valueWriter.WriteRegex", |
| "valueWriter.WriteString", |
| "valueWriter.WriteSymbol", |
| "valueWriter.WriteTimestamp", |
| "valueWriter.WriteUndefined", |
| "valueWriter.WriteValueBytes", |
| "valueWriter.writeElementHeader" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/mongodb/mongo-go-driver/pull/622" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://jira.mongodb.org/browse/GODRIVER-1923" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0112", |
| "review_status": "REVIEWED" |
| } |
| } |
