The MongoDB Go driver team is pleased to release 1.5.1 of the official Go driver.
This release contains several bug fixes. Due to the issue below, we recommend all users upgrade to this version of the driver.
Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.
CVE-2021-20329
This CVE describes a security issue with the driver's BSON marshalling system. BSON marshalling functions would incorrectly handle null bytes embedded in BSON key names and the pattern/options fields of a BSON regex value. BSON marshalling functions now correctly validate and error if there is an embedded null byte in BSON key names or the pattern/options fields of a BSON regex value. We recommend all users of the driver upgrade to this version.
CVE ID: CVE-2021-20329
Title: Specific cstrings input may not be properly validated in the MongoDB Go Driver
Description: Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.
CVSS score: 6.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products and versions, MongoDB Go Driver versions <= 1.5.0
Underlying operating systems affected: All
Release Notes
For a full list of tickets included in this release, please see the links below: