CVE-2021-20329 (Medium) detected in multiple libraries

[mend-for-github-com]

CVE-2021-20329 - Medium Severity Vulnerability

Vulnerable Libraries - go.mongodb.org/mongo-driver/bson-v1.0.3, go.mongodb.org/mongo-driver/bson/bsonrw-v1.0.3, go.mongodb.org/mongo-driver/x/bsonx/bsoncore-v1.0.3

go.mongodb.org/mongo-driver/bson-v1.0.3

The Go driver for MongoDB

Dependency Hierarchy:

• ❌ go.mongodb.org/mongo-driver/bson-v1.0.3 (Vulnerable Library)

go.mongodb.org/mongo-driver/bson/bsonrw-v1.0.3

The Go driver for MongoDB

Dependency Hierarchy:

• go.mongodb.org/mongo-driver/mongo-v1.0.3 (Root Library)
  • go.mongodb.org/mongo-driver/x/bsonx/bsoncore-v1.0.3
    • go.mongodb.org/mongo-driver/bson/primitive-v1.0.3
      • go.mongodb.org/mongo-driver/bson/bsoncodec-v1.0.3
        • ❌ go.mongodb.org/mongo-driver/bson/bsonrw-v1.0.3 (Vulnerable Library)

go.mongodb.org/mongo-driver/x/bsonx/bsoncore-v1.0.3

The Go driver for MongoDB

Dependency Hierarchy:

• go.mongodb.org/mongo-driver/mongo-v1.0.3 (Root Library)
  • ❌ go.mongodb.org/mongo-driver/x/bsonx/bsoncore-v1.0.3 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.

Publish Date: 2021-06-10

URL: CVE-2021-20329

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-10

Fix Resolution: v1.5.1