blob: 20a59f1fca1c059eaf39ab10facec263f8ba6a5c [file] [log] [blame]
packages:
- module: go.mongodb.org/mongo-driver
package: go.mongodb.org/mongo-driver/bson/bsonrw
symbols:
- valueWriter.writeElementHeader
derived_symbols:
- Copier.AppendArrayBytes
- Copier.AppendDocumentBytes
- Copier.AppendValueBytes
- Copier.CopyArrayFromBytes
- Copier.CopyBytesToArrayWriter
- Copier.CopyBytesToDocumentWriter
- Copier.CopyDocument
- Copier.CopyDocumentFromBytes
- Copier.CopyDocumentToBytes
- Copier.CopyValue
- Copier.CopyValueFromBytes
- Copier.CopyValueToBytes
- CopyDocument
- valueWriter.WriteArray
- valueWriter.WriteBinary
- valueWriter.WriteBinaryWithSubtype
- valueWriter.WriteBoolean
- valueWriter.WriteCodeWithScope
- valueWriter.WriteDBPointer
- valueWriter.WriteDateTime
- valueWriter.WriteDecimal128
- valueWriter.WriteDocument
- valueWriter.WriteDouble
- valueWriter.WriteInt32
- valueWriter.WriteInt64
- valueWriter.WriteJavascript
- valueWriter.WriteMaxKey
- valueWriter.WriteMinKey
- valueWriter.WriteNull
- valueWriter.WriteObjectID
- valueWriter.WriteRegex
- valueWriter.WriteString
- valueWriter.WriteSymbol
- valueWriter.WriteTimestamp
- valueWriter.WriteUndefined
- valueWriter.WriteValueBytes
versions:
- fixed: 1.5.1
description: |
Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed
Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are
affected if they use this package to handle untrusted user input.
published: 2021-07-28T18:08:05Z
cves:
- CVE-2021-20329
ghsas:
- GHSA-f6mq-5m25-4r72
links:
pr: https://github.com/mongodb/mongo-go-driver/pull/622
commit: https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca
context:
- https://github.com/advisories/GHSA-f6mq-5m25-4r72
- https://jira.mongodb.org/browse/GODRIVER-1923