CVE-2021-20329

Specific cstrings input may not be properly validated in the Go Driver

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0.

Es posible que la entrada de cadenas de caracteres específicas no se validen apropiadamente en el controlador MongoDB Go al marshallar objetos Go en BSON. Un usuario malicioso podría usar un objeto Go con una cadena específica para inyectar potencialmente campos adicionales en los documentos ordenados. Este problema afecta a todos los controladores GO de MongoDB hasta (e incluyendo) la versión 1.5.0

A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.

*Credits: Hugo Ferrando Seage

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-17 CVE Reserved
2021-06-10 CVE Published
2024-09-16 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-1287: Improper Validation of Specified Type of Input

CAPEC

References (3)

URL	Tag	Source
https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1	Release Notes

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-20329	2024-01-17
https://bugzilla.redhat.com/show_bug.cgi?id=1971033	2024-01-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mongodb Search vendor "Mongodb"		Go Driver Search vendor "Mongodb" for product "Go Driver"				<= 1.5.0 Search vendor "Mongodb" for product "Go Driver" and version " <= 1.5.0"		mongodb		Affected