blob: 7d4899866d8345784cc1c39cbfcf817260059f4b [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0112",
"modified": "0001-01-01T00:00:00Z",
"published": "2021-07-28T18:08:05Z",
"aliases": [
"CVE-2021-20329",
"GHSA-f6mq-5m25-4r72"
],
"summary": "Improper input validation in go.mongodb.org/mongo-driver",
"details": "Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are affected if they use this package to handle untrusted user input.",
"affected": [
{
"package": {
"name": "go.mongodb.org/mongo-driver",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "go.mongodb.org/mongo-driver/x/bsonx/bsoncore",
"symbols": [
"AppendArrayElement",
"AppendArrayElementStart",
"AppendBinaryElement",
"AppendBooleanElement",
"AppendCodeWithScopeElement",
"AppendDBPointerElement",
"AppendDateTimeElement",
"AppendDecimal128Element",
"AppendDocumentElement",
"AppendDocumentElementStart",
"AppendDoubleElement",
"AppendHeader",
"AppendInt32Element",
"AppendInt64Element",
"AppendJavaScriptElement",
"AppendMaxKeyElement",
"AppendMinKeyElement",
"AppendNullElement",
"AppendObjectIDElement",
"AppendRegex",
"AppendRegexElement",
"AppendStringElement",
"AppendSymbolElement",
"AppendTimeElement",
"AppendTimestampElement",
"AppendUndefinedElement",
"AppendValueElement",
"ArrayBuilder.AppendArray",
"ArrayBuilder.AppendBinary",
"ArrayBuilder.AppendBoolean",
"ArrayBuilder.AppendCodeWithScope",
"ArrayBuilder.AppendDBPointer",
"ArrayBuilder.AppendDateTime",
"ArrayBuilder.AppendDecimal128",
"ArrayBuilder.AppendDocument",
"ArrayBuilder.AppendDouble",
"ArrayBuilder.AppendInt32",
"ArrayBuilder.AppendInt64",
"ArrayBuilder.AppendJavaScript",
"ArrayBuilder.AppendMaxKey",
"ArrayBuilder.AppendMinKey",
"ArrayBuilder.AppendNull",
"ArrayBuilder.AppendObjectID",
"ArrayBuilder.AppendRegex",
"ArrayBuilder.AppendString",
"ArrayBuilder.AppendSymbol",
"ArrayBuilder.AppendTimestamp",
"ArrayBuilder.AppendUndefined",
"ArrayBuilder.AppendValue",
"ArrayBuilder.StartArray",
"BuildArray",
"BuildArrayElement",
"BuildDocumentElement",
"DocumentBuilder.AppendArray",
"DocumentBuilder.AppendBinary",
"DocumentBuilder.AppendBoolean",
"DocumentBuilder.AppendCodeWithScope",
"DocumentBuilder.AppendDBPointer",
"DocumentBuilder.AppendDateTime",
"DocumentBuilder.AppendDecimal128",
"DocumentBuilder.AppendDocument",
"DocumentBuilder.AppendDouble",
"DocumentBuilder.AppendInt32",
"DocumentBuilder.AppendInt64",
"DocumentBuilder.AppendJavaScript",
"DocumentBuilder.AppendMaxKey",
"DocumentBuilder.AppendMinKey",
"DocumentBuilder.AppendNull",
"DocumentBuilder.AppendObjectID",
"DocumentBuilder.AppendRegex",
"DocumentBuilder.AppendString",
"DocumentBuilder.AppendSymbol",
"DocumentBuilder.AppendTimestamp",
"DocumentBuilder.AppendUndefined",
"DocumentBuilder.AppendValue",
"DocumentBuilder.StartDocument"
]
},
{
"path": "go.mongodb.org/mongo-driver/bson/bsonrw",
"symbols": [
"Copier.AppendArrayBytes",
"Copier.AppendDocumentBytes",
"Copier.AppendValueBytes",
"Copier.CopyArrayFromBytes",
"Copier.CopyBytesToArrayWriter",
"Copier.CopyBytesToDocumentWriter",
"Copier.CopyDocument",
"Copier.CopyDocumentFromBytes",
"Copier.CopyDocumentToBytes",
"Copier.CopyValue",
"Copier.CopyValueFromBytes",
"Copier.CopyValueToBytes",
"CopyDocument",
"valueWriter.WriteArray",
"valueWriter.WriteBinary",
"valueWriter.WriteBinaryWithSubtype",
"valueWriter.WriteBoolean",
"valueWriter.WriteCodeWithScope",
"valueWriter.WriteDBPointer",
"valueWriter.WriteDateTime",
"valueWriter.WriteDecimal128",
"valueWriter.WriteDocument",
"valueWriter.WriteDouble",
"valueWriter.WriteInt32",
"valueWriter.WriteInt64",
"valueWriter.WriteJavascript",
"valueWriter.WriteMaxKey",
"valueWriter.WriteMinKey",
"valueWriter.WriteNull",
"valueWriter.WriteObjectID",
"valueWriter.WriteRegex",
"valueWriter.WriteString",
"valueWriter.WriteSymbol",
"valueWriter.WriteTimestamp",
"valueWriter.WriteUndefined",
"valueWriter.WriteValueBytes",
"valueWriter.writeElementHeader"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/mongodb/mongo-go-driver/pull/622"
},
{
"type": "FIX",
"url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/GODRIVER-1923"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0112",
"review_status": "REVIEWED"
}
}