Bug 1971033 (CVE-2021-20329)

Summary: CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, amackenz, amasferr, amctagga, aveerama, bdettelb, chazlett, dbecker, dcadzow, dfreiber, dkenigsb, dperaza, dymurray, eglynn, ellin, fdeutsch, gghezzo, gparvin, ibolton, jburrell, jcantril, jchui, jjoyce, jkoehler, jmatthew, jmontleo, jramanat, jschluet, jweiser, jwendell, kaycoth, lball, lgamliel, lhh, lpeer, matzew, mburns, mfilanov, mgarciac, mkudlej, mrajanna, muagarwa, mwringe, nbecker, njean, ocs-bugs, oramraz, ovanders, owatkins, pahickey, periklis, rcernich, rfreiman, rgarg, rhos-maint, rhuss, rjohnson, rogbas, rrajasek, sclewis, scorneli, sgott, shbose, slinaber, slucidi, smullick, spower, sseago, stcannon, teagle, thee, tjochec, tnielsen, twalsh, ubhargav, vkumar, whayutin
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongo-go-driver 1.5.1, mongo-driver 1.5.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-29 06:46:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2176301, 2176302, 2176303, 2176304, 2176305, 2176306, 2176307, 2176308, 2176309, 2176310, 2176311, 2176312, 2176313    
Bug Blocks: 1971034    

Description Guilherme de Almeida Suckevicz 2021-06-11 17:27:15 UTC 
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.

Reference:
https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1
Comment 1 Product Security DevOps Team 2021-06-24 16:40:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20329
Comment 12 errata-xmlrpc 2023-03-27 12:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1409 https://access.redhat.com/errata/RHSA-2023:1409
Comment 13 errata-xmlrpc 2023-03-29 02:46:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1392 https://access.redhat.com/errata/RHSA-2023:1392
Comment 14 Product Security DevOps Team 2023-03-29 06:46:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20329
Comment 17 errata-xmlrpc 2023-04-04 11:27:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:1504 https://access.redhat.com/errata/RHSA-2023:1504
Comment 18 errata-xmlrpc 2023-04-05 23:07:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:1525 https://access.redhat.com/errata/RHSA-2023:1525
Comment 20 errata-xmlrpc 2023-04-12 11:42:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1656 https://access.redhat.com/errata/RHSA-2023:1656
Comment 28 errata-xmlrpc 2023-05-17 22:30:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 29 errata-xmlrpc 2023-05-18 00:20:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1328 https://access.redhat.com/errata/RHSA-2023:1328
Comment 30 errata-xmlrpc 2023-06-15 20:56:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.2 for RHEL 8

Via RHSA-2023:3645 https://access.redhat.com/errata/RHSA-2023:3645
Comment 31 errata-xmlrpc 2023-08-30 17:55:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4730 https://access.redhat.com/errata/RHSA-2023:4730
Comment 32 errata-xmlrpc 2023-10-31 12:54:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
Comment 33 errata-xmlrpc 2023-10-31 13:45:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5007 https://access.redhat.com/errata/RHSA-2023:5007
Comment 34 errata-xmlrpc 2023-11-08 14:03:29 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2023:6817 https://access.redhat.com/errata/RHSA-2023:6817
Comment 35 errata-xmlrpc 2024-01-17 09:48:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0193 https://access.redhat.com/errata/RHSA-2024:0193