{
  "schema_version": "1.3.1",
  "id": "GO-2022-0463",
  "modified": "0001-01-01T00:00:00Z",
  "published": "2022-07-01T20:06:59Z",
  "aliases": [
    "CVE-2022-31259",
    "GHSA-qx32-f6g6-fcfr"
  ],
  "summary": "Access control bypass due to broad route matching in github.com/beego/beego and beego/v2",
  "details": "Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls.\n\nFor example, the pattern \"/a/b/:name\" can match the URL \"/a.xml/b/\". This may bypass access control applied to the prefix \"/a/\".",
  "affected": [
    {
      "package": {
        "name": "github.com/astaxie/beego",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/astaxie/beego",
            "symbols": [
              "App.Run",
              "ControllerRegister.FindPolicy",
              "ControllerRegister.FindRouter",
              "ControllerRegister.ServeHTTP",
              "FilterRouter.ValidRouter",
              "InitBeegoBeforeTest",
              "Run",
              "RunWithMiddleWares",
              "TestBeegoInit",
              "Tree.Match",
              "adminApp.Run"
            ]
          }
        ]
      }
    },
    {
      "package": {
        "name": "github.com/beego/beego",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/beego/beego",
            "symbols": [
              "App.Run",
              "ControllerRegister.FindPolicy",
              "ControllerRegister.FindRouter",
              "ControllerRegister.ServeHTTP",
              "FilterRouter.ValidRouter",
              "InitBeegoBeforeTest",
              "Run",
              "RunWithMiddleWares",
              "TestBeegoInit",
              "Tree.Match",
              "Tree.match",
              "adminApp.Run"
            ]
          }
        ]
      }
    },
    {
      "package": {
        "name": "github.com/beego/beego/v2",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.3"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/beego/beego/v2/server/web",
            "symbols": [
              "AddNamespace",
              "AddViewPath",
              "Any",
              "AutoPrefix",
              "AutoRouter",
              "BuildTemplate",
              "Compare",
              "CompareNot",
              "Controller.Abort",
              "Controller.Bind",
              "Controller.BindForm",
              "Controller.BindJSON",
              "Controller.BindProtobuf",
              "Controller.BindXML",
              "Controller.BindYAML",
              "Controller.CheckXSRFCookie",
              "Controller.CustomAbort",
              "Controller.Delete",
              "Controller.DestroySession",
              "Controller.Get",
              "Controller.GetBool",
              "Controller.GetFile",
              "Controller.GetFloat",
              "Controller.GetInt",
              "Controller.GetInt16",
              "Controller.GetInt32",
              "Controller.GetInt64",
              "Controller.GetInt8",
              "Controller.GetSecureCookie",
              "Controller.GetString",
              "Controller.GetStrings",
              "Controller.GetUint16",
              "Controller.GetUint32",
              "Controller.GetUint64",
              "Controller.GetUint8",
              "Controller.Head",
              "Controller.Input",
              "Controller.IsAjax",
              "Controller.JSONResp",
              "Controller.Options",
              "Controller.ParseForm",
              "Controller.Patch",
              "Controller.Post",
              "Controller.Put",
              "Controller.Redirect",
              "Controller.Render",
              "Controller.RenderBytes",
              "Controller.RenderString",
              "Controller.Resp",
              "Controller.SaveToFile",
              "Controller.SaveToFileWithBuffer",
              "Controller.ServeFormatted",
              "Controller.ServeJSON",
              "Controller.ServeJSONP",
              "Controller.ServeXML",
              "Controller.ServeYAML",
              "Controller.SessionRegenerateID",
              "Controller.SetData",
              "Controller.SetSecureCookie",
              "Controller.Trace",
              "Controller.URLFor",
              "Controller.XMLResp",
              "Controller.XSRFFormHTML",
              "Controller.XSRFToken",
              "Controller.YamlResp",
              "ControllerRegister.Add",
              "ControllerRegister.AddAuto",
              "ControllerRegister.AddAutoPrefix",
              "ControllerRegister.AddMethod",
              "ControllerRegister.AddRouterMethod",
              "ControllerRegister.Any",
              "ControllerRegister.CtrlAny",
              "ControllerRegister.CtrlDelete",
              "ControllerRegister.CtrlGet",
              "ControllerRegister.CtrlHead",
              "ControllerRegister.CtrlOptions",
              "ControllerRegister.CtrlPatch",
              "ControllerRegister.CtrlPost",
              "ControllerRegister.CtrlPut",
              "ControllerRegister.Delete",
              "ControllerRegister.FindPolicy",
              "ControllerRegister.FindRouter",
              "ControllerRegister.Get",
              "ControllerRegister.GetContext",
              "ControllerRegister.Handler",
              "ControllerRegister.Head",
              "ControllerRegister.Include",
              "ControllerRegister.Init",
              "ControllerRegister.InsertFilter",
              "ControllerRegister.Options",
              "ControllerRegister.Patch",
              "ControllerRegister.Post",
              "ControllerRegister.Put",
              "ControllerRegister.ServeHTTP",
              "ControllerRegister.URLFor",
              "CtrlAny",
              "CtrlDelete",
              "CtrlGet",
              "CtrlHead",
              "CtrlOptions",
              "CtrlPatch",
              "CtrlPost",
              "CtrlPut",
              "Date",
              "DateFormat",
              "DateParse",
              "Delete",
              "Exception",
              "ExecuteTemplate",
              "ExecuteViewPathTemplate",
              "FileSystem.Open",
              "FilterRouter.ValidRouter",
              "FlashData.Error",
              "FlashData.Notice",
              "FlashData.Set",
              "FlashData.Store",
              "FlashData.Success",
              "FlashData.Warning",
              "Get",
              "GetConfig",
              "HTML2str",
              "Handler",
              "Head",
              "Htmlquote",
              "Htmlunquote",
              "HttpServer.Any",
              "HttpServer.AutoPrefix",
              "HttpServer.AutoRouter",
              "HttpServer.CtrlAny",
              "HttpServer.CtrlDelete",
              "HttpServer.CtrlGet",
              "HttpServer.CtrlHead",
              "HttpServer.CtrlOptions",
              "HttpServer.CtrlPatch",
              "HttpServer.CtrlPost",
              "HttpServer.CtrlPut",
              "HttpServer.Delete",
              "HttpServer.Get",
              "HttpServer.Handler",
              "HttpServer.Head",
              "HttpServer.Include",
              "HttpServer.InsertFilter",
              "HttpServer.LogAccess",
              "HttpServer.Options",
              "HttpServer.Patch",
              "HttpServer.Post",
              "HttpServer.PrintTree",
              "HttpServer.Put",
              "HttpServer.RESTRouter",
              "HttpServer.Router",
              "HttpServer.RouterWithOpts",
              "HttpServer.Run",
              "Include",
              "InitBeegoBeforeTest",
              "InsertFilter",
              "LoadAppConfig",
              "LogAccess",
              "MapGet",
              "Namespace.Any",
              "Namespace.AutoPrefix",
              "Namespace.AutoRouter",
              "Namespace.Cond",
              "Namespace.CtrlAny",
              "Namespace.CtrlDelete",
              "Namespace.CtrlGet",
              "Namespace.CtrlHead",
              "Namespace.CtrlOptions",
              "Namespace.CtrlPatch",
              "Namespace.CtrlPost",
              "Namespace.CtrlPut",
              "Namespace.Delete",
              "Namespace.Filter",
              "Namespace.Get",
              "Namespace.Handler",
              "Namespace.Head",
              "Namespace.Include",
              "Namespace.Namespace",
              "Namespace.Options",
              "Namespace.Patch",
              "Namespace.Post",
              "Namespace.Put",
              "Namespace.Router",
              "NewControllerRegister",
              "NewControllerRegisterWithCfg",
              "NewHttpServerWithCfg",
              "NewHttpSever",
              "NewNamespace",
              "NotNil",
              "Options",
              "ParseForm",
              "Patch",
              "Policy",
              "Post",
              "PrintTree",
              "Put",
              "RESTRouter",
              "ReadFromRequest",
              "RenderForm",
              "Router",
              "RouterWithOpts",
              "Run",
              "RunWithMiddleWares",
              "TestBeegoInit",
              "Tree.AddRouter",
              "Tree.AddTree",
              "Tree.Match",
              "Tree.match",
              "URLFor",
              "URLMap.GetMap",
              "URLMap.GetMapData",
              "Walk",
              "adminApp.Run",
              "adminController.AdminIndex",
              "adminController.Healthcheck",
              "adminController.ListConf",
              "adminController.ProfIndex",
              "adminController.PrometheusMetrics",
              "adminController.QpsIndex",
              "adminController.TaskStatus",
              "beegoAppConfig.Bool",
              "beegoAppConfig.DefaultBool",
              "beegoAppConfig.SaveConfigFile",
              "beegoAppConfig.Unmarshaler"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/beego/beego/pull/4958"
    },
    {
      "type": "FIX",
      "url": "https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd"
    },
    {
      "type": "WEB",
      "url": "https://beego.vip"
    },
    {
      "type": "WEB",
      "url": "https://github.com/beego/beego/issues/4946"
    },
    {
      "type": "WEB",
      "url": "https://github.com/beego/beego/pull/4954"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2022-0463"
  }
}