| packages: |
| - module: go.mongodb.org/mongo-driver |
| package: go.mongodb.org/mongo-driver/bson/bsonrw |
| symbols: |
| - valueWriter.writeElementHeader |
| derived_symbols: |
| - Copier.AppendArrayBytes |
| - Copier.AppendDocumentBytes |
| - Copier.AppendValueBytes |
| - Copier.CopyArrayFromBytes |
| - Copier.CopyBytesToArrayWriter |
| - Copier.CopyBytesToDocumentWriter |
| - Copier.CopyDocument |
| - Copier.CopyDocumentFromBytes |
| - Copier.CopyDocumentToBytes |
| - Copier.CopyValue |
| - Copier.CopyValueFromBytes |
| - Copier.CopyValueToBytes |
| - CopyDocument |
| - valueWriter.WriteArray |
| - valueWriter.WriteBinary |
| - valueWriter.WriteBinaryWithSubtype |
| - valueWriter.WriteBoolean |
| - valueWriter.WriteCodeWithScope |
| - valueWriter.WriteDBPointer |
| - valueWriter.WriteDateTime |
| - valueWriter.WriteDecimal128 |
| - valueWriter.WriteDocument |
| - valueWriter.WriteDouble |
| - valueWriter.WriteInt32 |
| - valueWriter.WriteInt64 |
| - valueWriter.WriteJavascript |
| - valueWriter.WriteMaxKey |
| - valueWriter.WriteMinKey |
| - valueWriter.WriteNull |
| - valueWriter.WriteObjectID |
| - valueWriter.WriteRegex |
| - valueWriter.WriteString |
| - valueWriter.WriteSymbol |
| - valueWriter.WriteTimestamp |
| - valueWriter.WriteUndefined |
| - valueWriter.WriteValueBytes |
| versions: |
| - fixed: 1.5.1 |
| description: | |
| Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed |
| Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are |
| affected if they use this package to handle untrusted user input. |
| published: 2021-07-28T18:08:05Z |
| cves: |
| - CVE-2021-20329 |
| ghsas: |
| - GHSA-f6mq-5m25-4r72 |
| links: |
| pr: https://github.com/mongodb/mongo-go-driver/pull/622 |
| commit: https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca |
| context: |
| - https://github.com/advisories/GHSA-f6mq-5m25-4r72 |
| - https://jira.mongodb.org/browse/GODRIVER-1923 |