| id: GO-2022-0572 |
| modules: |
| - module: github.com/astaxie/beego |
| vulnerable_at: 1.12.3 |
| packages: |
| - package: github.com/astaxie/beego |
| symbols: |
| - Tree.Match |
| derived_symbols: |
| - App.Run |
| - ControllerRegister.FindPolicy |
| - ControllerRegister.FindRouter |
| - ControllerRegister.ServeHTTP |
| - FilterRouter.ValidRouter |
| - InitBeegoBeforeTest |
| - Run |
| - RunWithMiddleWares |
| - TestBeegoInit |
| - adminApp.Run |
| - module: github.com/beego/beego |
| vulnerable_at: 1.12.11 |
| packages: |
| - package: github.com/beego/beego |
| symbols: |
| - Tree.Match |
| derived_symbols: |
| - App.Run |
| - ControllerRegister.FindPolicy |
| - ControllerRegister.FindRouter |
| - ControllerRegister.ServeHTTP |
| - FilterRouter.ValidRouter |
| - InitBeegoBeforeTest |
| - Run |
| - RunWithMiddleWares |
| - TestBeegoInit |
| - adminApp.Run |
| - module: github.com/beego/beego/v2 |
| versions: |
| - introduced: 2.0.0 |
| - fixed: 2.0.3 |
| vulnerable_at: 2.0.1 |
| packages: |
| - package: github.com/beego/beego/v2/server/web |
| symbols: |
| - Tree.Match |
| derived_symbols: |
| - AddNamespace |
| - AddViewPath |
| - Any |
| - AutoPrefix |
| - AutoRouter |
| - BuildTemplate |
| - Compare |
| - CompareNot |
| - Controller.Abort |
| - Controller.CheckXSRFCookie |
| - Controller.CustomAbort |
| - Controller.Delete |
| - Controller.DestroySession |
| - Controller.Get |
| - Controller.GetBool |
| - Controller.GetFile |
| - Controller.GetFloat |
| - Controller.GetInt |
| - Controller.GetInt16 |
| - Controller.GetInt32 |
| - Controller.GetInt64 |
| - Controller.GetInt8 |
| - Controller.GetSecureCookie |
| - Controller.GetString |
| - Controller.GetStrings |
| - Controller.GetUint16 |
| - Controller.GetUint32 |
| - Controller.GetUint64 |
| - Controller.GetUint8 |
| - Controller.Head |
| - Controller.Input |
| - Controller.IsAjax |
| - Controller.Options |
| - Controller.ParseForm |
| - Controller.Patch |
| - Controller.Post |
| - Controller.Put |
| - Controller.Redirect |
| - Controller.Render |
| - Controller.RenderBytes |
| - Controller.RenderString |
| - Controller.SaveToFile |
| - Controller.ServeFormatted |
| - Controller.ServeJSON |
| - Controller.ServeJSONP |
| - Controller.ServeXML |
| - Controller.ServeYAML |
| - Controller.SessionRegenerateID |
| - Controller.SetData |
| - Controller.SetSecureCookie |
| - Controller.Trace |
| - Controller.URLFor |
| - Controller.XSRFFormHTML |
| - Controller.XSRFToken |
| - ControllerRegister.Add |
| - ControllerRegister.AddAuto |
| - ControllerRegister.AddAutoPrefix |
| - ControllerRegister.AddMethod |
| - ControllerRegister.Any |
| - ControllerRegister.Delete |
| - ControllerRegister.FindPolicy |
| - ControllerRegister.FindRouter |
| - ControllerRegister.Get |
| - ControllerRegister.GetContext |
| - ControllerRegister.Handler |
| - ControllerRegister.Head |
| - ControllerRegister.Include |
| - ControllerRegister.InsertFilter |
| - ControllerRegister.InsertFilterChain |
| - ControllerRegister.Options |
| - ControllerRegister.Patch |
| - ControllerRegister.Post |
| - ControllerRegister.Put |
| - ControllerRegister.ServeHTTP |
| - ControllerRegister.URLFor |
| - Date |
| - DateFormat |
| - DateParse |
| - Delete |
| - Exception |
| - ExecuteTemplate |
| - ExecuteViewPathTemplate |
| - FileSystem.Open |
| - FilterRouter.ValidRouter |
| - FlashData.Error |
| - FlashData.Notice |
| - FlashData.Set |
| - FlashData.Store |
| - FlashData.Success |
| - FlashData.Warning |
| - Get |
| - GetConfig |
| - HTML2str |
| - Handler |
| - Head |
| - Htmlquote |
| - Htmlunquote |
| - HttpServer.Any |
| - HttpServer.AutoPrefix |
| - HttpServer.AutoRouter |
| - HttpServer.Delete |
| - HttpServer.Get |
| - HttpServer.Handler |
| - HttpServer.Head |
| - HttpServer.Include |
| - HttpServer.InsertFilter |
| - HttpServer.InsertFilterChain |
| - HttpServer.LogAccess |
| - HttpServer.Options |
| - HttpServer.Patch |
| - HttpServer.Post |
| - HttpServer.PrintTree |
| - HttpServer.Put |
| - HttpServer.RESTRouter |
| - HttpServer.Router |
| - HttpServer.Run |
| - Include |
| - InitBeegoBeforeTest |
| - InsertFilter |
| - InsertFilterChain |
| - LoadAppConfig |
| - LogAccess |
| - MapGet |
| - Namespace.Any |
| - Namespace.AutoPrefix |
| - Namespace.AutoRouter |
| - Namespace.Cond |
| - Namespace.Delete |
| - Namespace.Filter |
| - Namespace.Get |
| - Namespace.Handler |
| - Namespace.Head |
| - Namespace.Include |
| - Namespace.Namespace |
| - Namespace.Options |
| - Namespace.Patch |
| - Namespace.Post |
| - Namespace.Put |
| - Namespace.Router |
| - NewControllerRegister |
| - NewControllerRegisterWithCfg |
| - NewHttpServerWithCfg |
| - NewHttpSever |
| - NewNamespace |
| - NotNil |
| - Options |
| - ParseForm |
| - Patch |
| - Policy |
| - Post |
| - PrintTree |
| - Put |
| - RESTRouter |
| - ReadFromRequest |
| - RenderForm |
| - Router |
| - Run |
| - RunWithMiddleWares |
| - TestBeegoInit |
| - Tree.AddRouter |
| - Tree.AddTree |
| - URLFor |
| - URLMap.GetMap |
| - URLMap.GetMapData |
| - Walk |
| - adminApp.Run |
| - adminController.AdminIndex |
| - adminController.Healthcheck |
| - adminController.ListConf |
| - adminController.ProfIndex |
| - adminController.PrometheusMetrics |
| - adminController.QpsIndex |
| - adminController.TaskStatus |
| - beegoAppConfig.Bool |
| - beegoAppConfig.DefaultBool |
| - beegoAppConfig.SaveConfigFile |
| - beegoAppConfig.Unmarshaler |
| summary: |- |
| Access control bypass via incorrect route lookup in github.com/beego/beego and |
| beego/v2 |
| description: |- |
| An issue was discovered in the route lookup process in beego which attackers to |
| bypass access control. |
| published: 2022-08-22T17:56:17Z |
| cves: |
| - CVE-2021-30080 |
| ghsas: |
| - GHSA-28r6-jm5h-mrgg |
| references: |
| - fix: https://github.com/beego/beego/pull/4459 |
| - fix: https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b95226519 |
| review_status: REVIEWED |