CVE-2021-20329 - Mongo DB Version 5.0

Hello Team,
As per Release MongoDB Go Driver 1.5.1 · mongodb/mongo-go-driver · GitHub the CVE-2021-20329 issue is fixed in Mongo Go Driver > 1.5.0 and Now I updated my Mongo DB version 4.4 to 5.0. As per Mongo Go Driver compatibility Mongo DB 5.0 is using the Go Driver 1.6

But, I still see CVE-2021-20329 in my reports.
Any one can help that what else I need to update.

Hey @RGupta5, thanks for the question! Did you update your MongoDB version and the Go Driver version that you use in your application? Updating MongoDB will not cause the Go Driver to be updated, that is a separate operation.

I have a few questions that may help:

  • What vulnerability scanning system is warning about CVE-2021-20329? (e.g. Snyk, Dependabot, govulncheck, etc)
  • Can you post part or all of your go.mod file for your application?

Hey @Matt_Dale ,
Thanks for reply but we are using Mongo DB with java (Spring application) and there we use Mongo Java Driver 4.6.1 which is compatible with Mongo DB 5.0.
As per Mongo DB upgrade documentation we only need to update the Mongo DB which we did it. I didn’t find any go.mod file in my Mongo DB installation and the collections directory.
After upgrade Mongo DB from 4.0 to 5.0 it says “Open Source MongoDB < GO Driver 1.5.1”.
I am not sure how can I upgrade Go Driver with MongoDB upgrade.

Ah, I assumed that you using the Go Driver in your application. It’s possible the CVE warning is coming from some software packaged with your MongoDB installation that is using an old version of the Go Driver. As far as I know, none of the official MongoDB downloads package an old version of the Go Driver. However, some 3rd-party MongoDB package, like the the Ubuntu mongodb package, do seem to be impacted (see details here).

What package are you using to install MongoDB? For example, is it an Ubuntu/Debian package, a Docker image, an archive downloaded from, or something else?