This CVE describes a security issue with the driver's BSON marshalling system. BSON marshalling functions would incorrectly handle null bytes embedded in BSON key names and the pattern/options fields of a BSON regex value. BSON marshalling functions now correctly validate and error if there is an embedded null byte in BSON key names or the pattern/options fields of a BSON regex value. We recommend all users of the driver upgrade to this version.
CVE ID: CVE-2021-20329
Title: Specific cstrings input may not be properly validated in the MongoDB Go Driver
Description: Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.
CVSS score: 6.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products and versions, MongoDB Go Driver versions <= 1.5.0
Underlying operating systems affected: All
For a full list of tickets included in this release, please see the links below:
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AndreasSko/go-jwlm/network/alerts).
Coverage: 86.118% (-0.0%) from 86.118% when pulling d87bf093fa7374d4301e86bced6424a6b1a1e53a on dependabot/go_modules/go.mongodb.org/mongo-driver-1.5.1 into 39bf323161784ff5af340ae491cd3e21cb21f4b2 on master.
Bumps go.mongodb.org/mongo-driver from 1.5.0 to 1.5.1.
Release notes
Sourced from go.mongodb.org/mongo-driver's releases.
Commits
40c0e70
Update version to v1.5.13a89e6c
GODRIVER-1923 Error if BSON cstrings contain null bytes (#622)1a2534c
GODRIVER-1935 Update scram/stringprep dependencies (#624)6ea353a
GODRIVER-1918 Check for zero length in readstring (#613)d5e11aa
GODRIVER-1919 Support decoding ObjectIDs from hex strings in BSON (#610)e0ed6d6
Update version to v1.5.1+prereleaseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AndreasSko/go-jwlm/network/alerts).