Bug 1971033 (CVE-2021-20329) - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated
Summary: CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly v...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20329
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2176301 2176302 2176303 2176304 2176305 2176306 2176307 2176308 2176309 2176310 2176311 2176312 2176313
Blocks: 1971034
TreeView+ depends on / blocked
 
Reported: 2021-06-11 17:27 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-02-27 20:43 UTC (History)
77 users (show)

Fixed In Version: mongo-go-driver 1.5.1, mongo-driver 1.5.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents.
Clone Of:
Environment:
Last Closed: 2023-03-29 06:46:18 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:00 UTC
Red Hat Product Errata RHSA-2023:1328 0 None None None 2023-05-18 00:21:01 UTC
Red Hat Product Errata RHSA-2023:1392 0 None None None 2023-03-29 02:46:09 UTC
Red Hat Product Errata RHSA-2023:1409 0 None None None 2023-03-27 12:00:20 UTC
Red Hat Product Errata RHSA-2023:1504 0 None None None 2023-04-04 11:27:20 UTC
Red Hat Product Errata RHSA-2023:1525 0 None None None 2023-04-05 23:07:06 UTC
Red Hat Product Errata RHSA-2023:1656 0 None None None 2023-04-12 11:42:25 UTC
Red Hat Product Errata RHSA-2023:3645 0 None None None 2023-06-15 20:56:19 UTC
Red Hat Product Errata RHSA-2023:4730 0 None None None 2023-08-30 17:55:43 UTC
Red Hat Product Errata RHSA-2023:5006 0 None None None 2023-10-31 12:54:25 UTC
Red Hat Product Errata RHSA-2023:5007 0 None None None 2023-10-31 13:45:31 UTC
Red Hat Product Errata RHSA-2023:6817 0 None None None 2023-11-08 14:03:34 UTC
Red Hat Product Errata RHSA-2024:0193 0 None None None 2024-01-17 09:48:23 UTC

Description Guilherme de Almeida Suckevicz 2021-06-11 17:27:15 UTC 
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.

Reference:
https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1
Comment 1 Product Security DevOps Team 2021-06-24 16:40:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20329
Comment 12 errata-xmlrpc 2023-03-27 12:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1409 https://access.redhat.com/errata/RHSA-2023:1409
Comment 13 errata-xmlrpc 2023-03-29 02:46:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1392 https://access.redhat.com/errata/RHSA-2023:1392
Comment 14 Product Security DevOps Team 2023-03-29 06:46:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20329
Comment 17 errata-xmlrpc 2023-04-04 11:27:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:1504 https://access.redhat.com/errata/RHSA-2023:1504
Comment 18 errata-xmlrpc 2023-04-05 23:07:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:1525 https://access.redhat.com/errata/RHSA-2023:1525
Comment 20 errata-xmlrpc 2023-04-12 11:42:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1656 https://access.redhat.com/errata/RHSA-2023:1656
Comment 28 errata-xmlrpc 2023-05-17 22:30:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 29 errata-xmlrpc 2023-05-18 00:20:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1328 https://access.redhat.com/errata/RHSA-2023:1328
Comment 30 errata-xmlrpc 2023-06-15 20:56:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.2 for RHEL 8

Via RHSA-2023:3645 https://access.redhat.com/errata/RHSA-2023:3645
Comment 31 errata-xmlrpc 2023-08-30 17:55:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4730 https://access.redhat.com/errata/RHSA-2023:4730
Comment 32 errata-xmlrpc 2023-10-31 12:54:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
Comment 33 errata-xmlrpc 2023-10-31 13:45:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5007 https://access.redhat.com/errata/RHSA-2023:5007
Comment 34 errata-xmlrpc 2023-11-08 14:03:29 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2023:6817 https://access.redhat.com/errata/RHSA-2023:6817
Comment 35 errata-xmlrpc 2024-01-17 09:48:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0193 https://access.redhat.com/errata/RHSA-2024:0193
Note You need to log in before you can comment on or make changes to this bug.