| { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-0463", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "2022-07-01T20:06:59Z", |
| "aliases": [ |
| "CVE-2022-31259", |
| "GHSA-qx32-f6g6-fcfr" |
| ], |
| "summary": "Access control bypass due to broad route matching in github.com/beego/beego and beego/v2", |
| "details": "Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls.\n\nFor example, the pattern \"/a/b/:name\" can match the URL \"/a.xml/b/\". This may bypass access control applied to the prefix \"/a/\".", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/astaxie/beego", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/astaxie/beego", |
| "symbols": [ |
| "App.Run", |
| "ControllerRegister.FindPolicy", |
| "ControllerRegister.FindRouter", |
| "ControllerRegister.ServeHTTP", |
| "FilterRouter.ValidRouter", |
| "InitBeegoBeforeTest", |
| "Run", |
| "RunWithMiddleWares", |
| "TestBeegoInit", |
| "Tree.Match", |
| "adminApp.Run" |
| ] |
| } |
| ] |
| } |
| }, |
| { |
| "package": { |
| "name": "github.com/beego/beego", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.12.9" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/beego/beego", |
| "symbols": [ |
| "App.Run", |
| "ControllerRegister.FindPolicy", |
| "ControllerRegister.FindRouter", |
| "ControllerRegister.ServeHTTP", |
| "FilterRouter.ValidRouter", |
| "InitBeegoBeforeTest", |
| "Run", |
| "RunWithMiddleWares", |
| "TestBeegoInit", |
| "Tree.Match", |
| "Tree.match", |
| "adminApp.Run" |
| ] |
| } |
| ] |
| } |
| }, |
| { |
| "package": { |
| "name": "github.com/beego/beego/v2", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "2.0.3" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/beego/beego/v2/server/web", |
| "symbols": [ |
| "AddNamespace", |
| "AddViewPath", |
| "Any", |
| "AutoPrefix", |
| "AutoRouter", |
| "BuildTemplate", |
| "Compare", |
| "CompareNot", |
| "Controller.Abort", |
| "Controller.Bind", |
| "Controller.BindForm", |
| "Controller.BindJSON", |
| "Controller.BindProtobuf", |
| "Controller.BindXML", |
| "Controller.BindYAML", |
| "Controller.CheckXSRFCookie", |
| "Controller.CustomAbort", |
| "Controller.Delete", |
| "Controller.DestroySession", |
| "Controller.Get", |
| "Controller.GetBool", |
| "Controller.GetFile", |
| "Controller.GetFloat", |
| "Controller.GetInt", |
| "Controller.GetInt16", |
| "Controller.GetInt32", |
| "Controller.GetInt64", |
| "Controller.GetInt8", |
| "Controller.GetSecureCookie", |
| "Controller.GetString", |
| "Controller.GetStrings", |
| "Controller.GetUint16", |
| "Controller.GetUint32", |
| "Controller.GetUint64", |
| "Controller.GetUint8", |
| "Controller.Head", |
| "Controller.Input", |
| "Controller.IsAjax", |
| "Controller.JSONResp", |
| "Controller.Options", |
| "Controller.ParseForm", |
| "Controller.Patch", |
| "Controller.Post", |
| "Controller.Put", |
| "Controller.Redirect", |
| "Controller.Render", |
| "Controller.RenderBytes", |
| "Controller.RenderString", |
| "Controller.Resp", |
| "Controller.SaveToFile", |
| "Controller.SaveToFileWithBuffer", |
| "Controller.ServeFormatted", |
| "Controller.ServeJSON", |
| "Controller.ServeJSONP", |
| "Controller.ServeXML", |
| "Controller.ServeYAML", |
| "Controller.SessionRegenerateID", |
| "Controller.SetData", |
| "Controller.SetSecureCookie", |
| "Controller.Trace", |
| "Controller.URLFor", |
| "Controller.XMLResp", |
| "Controller.XSRFFormHTML", |
| "Controller.XSRFToken", |
| "Controller.YamlResp", |
| "ControllerRegister.Add", |
| "ControllerRegister.AddAuto", |
| "ControllerRegister.AddAutoPrefix", |
| "ControllerRegister.AddMethod", |
| "ControllerRegister.AddRouterMethod", |
| "ControllerRegister.Any", |
| "ControllerRegister.CtrlAny", |
| "ControllerRegister.CtrlDelete", |
| "ControllerRegister.CtrlGet", |
| "ControllerRegister.CtrlHead", |
| "ControllerRegister.CtrlOptions", |
| "ControllerRegister.CtrlPatch", |
| "ControllerRegister.CtrlPost", |
| "ControllerRegister.CtrlPut", |
| "ControllerRegister.Delete", |
| "ControllerRegister.FindPolicy", |
| "ControllerRegister.FindRouter", |
| "ControllerRegister.Get", |
| "ControllerRegister.GetContext", |
| "ControllerRegister.Handler", |
| "ControllerRegister.Head", |
| "ControllerRegister.Include", |
| "ControllerRegister.Init", |
| "ControllerRegister.InsertFilter", |
| "ControllerRegister.Options", |
| "ControllerRegister.Patch", |
| "ControllerRegister.Post", |
| "ControllerRegister.Put", |
| "ControllerRegister.ServeHTTP", |
| "ControllerRegister.URLFor", |
| "CtrlAny", |
| "CtrlDelete", |
| "CtrlGet", |
| "CtrlHead", |
| "CtrlOptions", |
| "CtrlPatch", |
| "CtrlPost", |
| "CtrlPut", |
| "Date", |
| "DateFormat", |
| "DateParse", |
| "Delete", |
| "Exception", |
| "ExecuteTemplate", |
| "ExecuteViewPathTemplate", |
| "FileSystem.Open", |
| "FilterRouter.ValidRouter", |
| "FlashData.Error", |
| "FlashData.Notice", |
| "FlashData.Set", |
| "FlashData.Store", |
| "FlashData.Success", |
| "FlashData.Warning", |
| "Get", |
| "GetConfig", |
| "HTML2str", |
| "Handler", |
| "Head", |
| "Htmlquote", |
| "Htmlunquote", |
| "HttpServer.Any", |
| "HttpServer.AutoPrefix", |
| "HttpServer.AutoRouter", |
| "HttpServer.CtrlAny", |
| "HttpServer.CtrlDelete", |
| "HttpServer.CtrlGet", |
| "HttpServer.CtrlHead", |
| "HttpServer.CtrlOptions", |
| "HttpServer.CtrlPatch", |
| "HttpServer.CtrlPost", |
| "HttpServer.CtrlPut", |
| "HttpServer.Delete", |
| "HttpServer.Get", |
| "HttpServer.Handler", |
| "HttpServer.Head", |
| "HttpServer.Include", |
| "HttpServer.InsertFilter", |
| "HttpServer.LogAccess", |
| "HttpServer.Options", |
| "HttpServer.Patch", |
| "HttpServer.Post", |
| "HttpServer.PrintTree", |
| "HttpServer.Put", |
| "HttpServer.RESTRouter", |
| "HttpServer.Router", |
| "HttpServer.RouterWithOpts", |
| "HttpServer.Run", |
| "Include", |
| "InitBeegoBeforeTest", |
| "InsertFilter", |
| "LoadAppConfig", |
| "LogAccess", |
| "MapGet", |
| "Namespace.Any", |
| "Namespace.AutoPrefix", |
| "Namespace.AutoRouter", |
| "Namespace.Cond", |
| "Namespace.CtrlAny", |
| "Namespace.CtrlDelete", |
| "Namespace.CtrlGet", |
| "Namespace.CtrlHead", |
| "Namespace.CtrlOptions", |
| "Namespace.CtrlPatch", |
| "Namespace.CtrlPost", |
| "Namespace.CtrlPut", |
| "Namespace.Delete", |
| "Namespace.Filter", |
| "Namespace.Get", |
| "Namespace.Handler", |
| "Namespace.Head", |
| "Namespace.Include", |
| "Namespace.Namespace", |
| "Namespace.Options", |
| "Namespace.Patch", |
| "Namespace.Post", |
| "Namespace.Put", |
| "Namespace.Router", |
| "NewControllerRegister", |
| "NewControllerRegisterWithCfg", |
| "NewHttpServerWithCfg", |
| "NewHttpSever", |
| "NewNamespace", |
| "NotNil", |
| "Options", |
| "ParseForm", |
| "Patch", |
| "Policy", |
| "Post", |
| "PrintTree", |
| "Put", |
| "RESTRouter", |
| "ReadFromRequest", |
| "RenderForm", |
| "Router", |
| "RouterWithOpts", |
| "Run", |
| "RunWithMiddleWares", |
| "TestBeegoInit", |
| "Tree.AddRouter", |
| "Tree.AddTree", |
| "Tree.Match", |
| "Tree.match", |
| "URLFor", |
| "URLMap.GetMap", |
| "URLMap.GetMapData", |
| "Walk", |
| "adminApp.Run", |
| "adminController.AdminIndex", |
| "adminController.Healthcheck", |
| "adminController.ListConf", |
| "adminController.ProfIndex", |
| "adminController.PrometheusMetrics", |
| "adminController.QpsIndex", |
| "adminController.TaskStatus", |
| "beegoAppConfig.Bool", |
| "beegoAppConfig.DefaultBool", |
| "beegoAppConfig.SaveConfigFile", |
| "beegoAppConfig.Unmarshaler" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/beego/beego/pull/4958" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/beego/beego/issues/4946" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/beego/beego/pull/4954" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0463", |
| "review_status": "REVIEWED" |
| } |
| } |