blob: 25d9a6605d6f6230ef65847678adab3b6ba25bef [file] [log] [blame]
id: GO-2021-0112
modules:
- module: go.mongodb.org/mongo-driver
versions:
- fixed: 1.5.1
vulnerable_at: 1.5.0
packages:
- package: go.mongodb.org/mongo-driver/x/bsonx/bsoncore
symbols:
- AppendHeader
- AppendRegex
derived_symbols:
- AppendArrayElement
- AppendArrayElementStart
- AppendBinaryElement
- AppendBooleanElement
- AppendCodeWithScopeElement
- AppendDBPointerElement
- AppendDateTimeElement
- AppendDecimal128Element
- AppendDocumentElement
- AppendDocumentElementStart
- AppendDoubleElement
- AppendInt32Element
- AppendInt64Element
- AppendJavaScriptElement
- AppendMaxKeyElement
- AppendMinKeyElement
- AppendNullElement
- AppendObjectIDElement
- AppendRegexElement
- AppendStringElement
- AppendSymbolElement
- AppendTimeElement
- AppendTimestampElement
- AppendUndefinedElement
- AppendValueElement
- ArrayBuilder.AppendArray
- ArrayBuilder.AppendBinary
- ArrayBuilder.AppendBoolean
- ArrayBuilder.AppendCodeWithScope
- ArrayBuilder.AppendDBPointer
- ArrayBuilder.AppendDateTime
- ArrayBuilder.AppendDecimal128
- ArrayBuilder.AppendDocument
- ArrayBuilder.AppendDouble
- ArrayBuilder.AppendInt32
- ArrayBuilder.AppendInt64
- ArrayBuilder.AppendJavaScript
- ArrayBuilder.AppendMaxKey
- ArrayBuilder.AppendMinKey
- ArrayBuilder.AppendNull
- ArrayBuilder.AppendObjectID
- ArrayBuilder.AppendRegex
- ArrayBuilder.AppendString
- ArrayBuilder.AppendSymbol
- ArrayBuilder.AppendTimestamp
- ArrayBuilder.AppendUndefined
- ArrayBuilder.AppendValue
- ArrayBuilder.StartArray
- BuildArray
- BuildArrayElement
- BuildDocumentElement
- DocumentBuilder.AppendArray
- DocumentBuilder.AppendBinary
- DocumentBuilder.AppendBoolean
- DocumentBuilder.AppendCodeWithScope
- DocumentBuilder.AppendDBPointer
- DocumentBuilder.AppendDateTime
- DocumentBuilder.AppendDecimal128
- DocumentBuilder.AppendDocument
- DocumentBuilder.AppendDouble
- DocumentBuilder.AppendInt32
- DocumentBuilder.AppendInt64
- DocumentBuilder.AppendJavaScript
- DocumentBuilder.AppendMaxKey
- DocumentBuilder.AppendMinKey
- DocumentBuilder.AppendNull
- DocumentBuilder.AppendObjectID
- DocumentBuilder.AppendRegex
- DocumentBuilder.AppendString
- DocumentBuilder.AppendSymbol
- DocumentBuilder.AppendTimestamp
- DocumentBuilder.AppendUndefined
- DocumentBuilder.AppendValue
- DocumentBuilder.StartDocument
- package: go.mongodb.org/mongo-driver/bson/bsonrw
symbols:
- valueWriter.writeElementHeader
derived_symbols:
- Copier.AppendArrayBytes
- Copier.AppendDocumentBytes
- Copier.AppendValueBytes
- Copier.CopyArrayFromBytes
- Copier.CopyBytesToArrayWriter
- Copier.CopyBytesToDocumentWriter
- Copier.CopyDocument
- Copier.CopyDocumentFromBytes
- Copier.CopyDocumentToBytes
- Copier.CopyValue
- Copier.CopyValueFromBytes
- Copier.CopyValueToBytes
- CopyDocument
- valueWriter.WriteArray
- valueWriter.WriteBinary
- valueWriter.WriteBinaryWithSubtype
- valueWriter.WriteBoolean
- valueWriter.WriteCodeWithScope
- valueWriter.WriteDBPointer
- valueWriter.WriteDateTime
- valueWriter.WriteDecimal128
- valueWriter.WriteDocument
- valueWriter.WriteDouble
- valueWriter.WriteInt32
- valueWriter.WriteInt64
- valueWriter.WriteJavascript
- valueWriter.WriteMaxKey
- valueWriter.WriteMinKey
- valueWriter.WriteNull
- valueWriter.WriteObjectID
- valueWriter.WriteRegex
- valueWriter.WriteString
- valueWriter.WriteSymbol
- valueWriter.WriteTimestamp
- valueWriter.WriteUndefined
- valueWriter.WriteValueBytes
summary: Improper input validation in go.mongodb.org/mongo-driver
description: |-
Due to improper input sanitization when marshalling Go objects into BSON, a
maliciously constructed Go structure could allow an attacker to inject
additional fields into a MongoDB document. Users are affected if they use this
package to handle untrusted user input.
published: 2021-07-28T18:08:05Z
cves:
- CVE-2021-20329
ghsas:
- GHSA-f6mq-5m25-4r72
references:
- fix: https://github.com/mongodb/mongo-go-driver/pull/622
- fix: https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
- web: https://jira.mongodb.org/browse/GODRIVER-1923
review_status: REVIEWED