CVE-2021-20329 - OpenCVE

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mongodb	Go Driver

Configuration 1 [-]

cpe:2.3:a:mongodb:go_driver:*:*:*:*:*:mongodb:*:*

References

Link	Resource
https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1	Release Notes Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mongodb

Published: 2021-06-10T00:00:00

Updated: 2024-01-23T16:03:19.528Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20329

JSON object: View

NVD Information

Status : Modified

Published: 2021-06-10T17:15:08.047

Modified: 2024-01-23T16:15:49.537

Link: CVE-2021-20329

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Go Driver", "vendor": "MongoDB Inc.", "versions": [{"lessThanOrEqual": "1.5.0", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Hugo Ferrando Seage"}], "datePublic": "2021-06-09T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0.</p>"}], "value": "Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2024-01-23T16:03:19.528Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1"}], "source": {"discovery": "EXTERNAL"}, "title": "Specific cstrings input may not be properly validated in the Go Driver", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@mongodb.com", "DATE_PUBLIC": "2021-06-10T14:00:00.000Z", "ID": "CVE-2021-20329", "STATE": "PUBLIC", "TITLE": "Specific cstrings input may not be properly validated in the Go Driver"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MongoDB Go Driver", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.0", "version_value": "1.5.0"}]}}]}, "vendor_name": "MongoDB Inc."}]}}, "credit": [{"lang": "eng", "value": "Hugo Ferrando Seage"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1287: Improper Validation of Specified Type of Input"}]}]}, "references": {"reference_data": [{"name": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1", "refsource": "CONFIRM", "url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "assignerShortName": "mongodb", "cveId": "CVE-2021-20329", "datePublished": "2021-06-10T00:00:00", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-01-23T16:03:19.528Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:go_driver:*:*:*:*:*:mongodb:*:*", "matchCriteriaId": "95312D9A-F73D-4AF8-9735-2AF0A856A157", "versionEndIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0.\n\n"}, {"lang": "es", "value": "Es posible que la entrada de cadenas de caracteres espec\u00edficas no se validen apropiadamente en el controlador MongoDB Go al marshallar objetos Go en BSON. Un usuario malicioso podr\u00eda usar un objeto Go con una cadena espec\u00edfica para inyectar potencialmente campos adicionales en los documentos ordenados. Este problema afecta a todos los controladores GO de MongoDB hasta (e incluyendo) la versi\u00f3n 1.5.0"}], "id": "CVE-2021-20329", "lastModified": "2024-01-23T16:15:49.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2021-06-10T17:15:08.047", "references": [{"source": "cna@mongodb.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1287"}], "source": "cna@mongodb.com", "type": "Secondary"}]}