#VU74181 Input validation error in MongoDB Go Driver


Published: 2023-03-29

Vulnerability identifier: #VU74181

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20329

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MongoDB Go Driver
Universal components / Libraries / Software for developers

Vendor: MongoDB, Inc.

Description

The vulnerability allows a remote attacker to manipulate data

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can inject additional fields into marshalled documents and manipulate data in the database.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MongoDB Go Driver: 0.0.1 - 1.11.3

External links
http://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.13
Multiple vulnerabilities in OpenShift Virtualization
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14
Multiple vulnerabilities in OpenShift Container Platform 4.13
Multiple vulnerabiltiies in Red Hat OpenShift Service Mesh Containers 2.2
OpenShift Container Platform release 4.13 update for golang
Multiple vulnerabilities in OpenShift Container Platform 4.13
Multiple vulnerabilities in OpenShift Container Platform 4.10
Multiple vulnerabilities in OpenShift Container Platform 4.9
Multiple vulnerabilities in OpenShift Container Platform 4.11