blob: f576e372fad0503c5cdf98005f187ab1930e578a [file] [log] [blame]
id: GO-2021-0084
modules:
- module: github.com/astaxie/beego
versions:
- fixed: 1.12.2
vulnerable_at: 1.12.1
packages:
- package: github.com/astaxie/beego/session
symbols:
- FileProvider.SessionRead
- FileProvider.SessionRegenerate
derived_symbols:
- Manager.GetSessionStore
- Manager.SessionRegenerateID
- Manager.SessionStart
fix_links:
- https://github.com/beego/beego/commit/f99cbe0fa40936f2f8dd28e70620c559b6e5e2fd
summary: Incorrect permissions for critical resource in github.com/astaxie/beego
description: |-
Session data is stored using permissive permissions, allowing local users with
filesystem access to read arbitrary data.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-16354
- CVE-2019-16355
ghsas:
- GHSA-f6px-w8rh-7r89
- GHSA-hf4p-4j9r-3cvx
credits:
- '@nicowaisman'
references:
- fix: https://github.com/beego/beego/pull/3975
- fix: https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
- web: https://github.com/beego/beego/issues/3763
review_status: REVIEWED