blob: 8ac875f25fc0f39f5defc56c47190439011b8ae2 [file] [log] [blame]
id: GO-2022-0569
modules:
- module: github.com/astaxie/beego
vulnerable_at: 1.12.3
packages:
- package: github.com/astaxie/beego
symbols:
- Tree.Match
derived_symbols:
- App.Run
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.ServeHTTP
- FilterRouter.ValidRouter
- InitBeegoBeforeTest
- Run
- RunWithMiddleWares
- TestBeegoInit
- adminApp.Run
- module: github.com/beego/beego
versions:
- fixed: 1.12.11
vulnerable_at: 1.12.10
packages:
- package: github.com/beego/beego
symbols:
- Tree.Match
derived_symbols:
- App.Run
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.ServeHTTP
- FilterRouter.ValidRouter
- InitBeegoBeforeTest
- Run
- RunWithMiddleWares
- TestBeegoInit
- adminApp.Run
- module: github.com/beego/beego/v2
versions:
- introduced: 2.0.0
fixed: 2.0.4
vulnerable_at: 2.0.3
packages:
- package: github.com/beego/beego/v2/server/web
symbols:
- Tree.Match
derived_symbols:
- AddNamespace
- AddViewPath
- Any
- AutoPrefix
- AutoRouter
- BuildTemplate
- Compare
- CompareNot
- Controller.Abort
- Controller.Bind
- Controller.BindForm
- Controller.BindJSON
- Controller.BindProtobuf
- Controller.BindXML
- Controller.BindYAML
- Controller.CheckXSRFCookie
- Controller.CustomAbort
- Controller.Delete
- Controller.DestroySession
- Controller.Get
- Controller.GetBool
- Controller.GetFile
- Controller.GetFloat
- Controller.GetInt
- Controller.GetInt16
- Controller.GetInt32
- Controller.GetInt64
- Controller.GetInt8
- Controller.GetSecureCookie
- Controller.GetString
- Controller.GetStrings
- Controller.GetUint16
- Controller.GetUint32
- Controller.GetUint64
- Controller.GetUint8
- Controller.Head
- Controller.Input
- Controller.IsAjax
- Controller.JSONResp
- Controller.Options
- Controller.ParseForm
- Controller.Patch
- Controller.Post
- Controller.Put
- Controller.Redirect
- Controller.Render
- Controller.RenderBytes
- Controller.RenderString
- Controller.Resp
- Controller.SaveToFile
- Controller.SaveToFileWithBuffer
- Controller.ServeFormatted
- Controller.ServeJSON
- Controller.ServeJSONP
- Controller.ServeXML
- Controller.ServeYAML
- Controller.SessionRegenerateID
- Controller.SetData
- Controller.SetSecureCookie
- Controller.Trace
- Controller.URLFor
- Controller.XMLResp
- Controller.XSRFFormHTML
- Controller.XSRFToken
- Controller.YamlResp
- ControllerRegister.Add
- ControllerRegister.AddAuto
- ControllerRegister.AddAutoPrefix
- ControllerRegister.AddMethod
- ControllerRegister.AddRouterMethod
- ControllerRegister.Any
- ControllerRegister.CtrlAny
- ControllerRegister.CtrlDelete
- ControllerRegister.CtrlGet
- ControllerRegister.CtrlHead
- ControllerRegister.CtrlOptions
- ControllerRegister.CtrlPatch
- ControllerRegister.CtrlPost
- ControllerRegister.CtrlPut
- ControllerRegister.Delete
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.Get
- ControllerRegister.GetContext
- ControllerRegister.Handler
- ControllerRegister.Head
- ControllerRegister.Include
- ControllerRegister.Init
- ControllerRegister.InsertFilter
- ControllerRegister.Options
- ControllerRegister.Patch
- ControllerRegister.Post
- ControllerRegister.Put
- ControllerRegister.ServeHTTP
- ControllerRegister.URLFor
- CtrlAny
- CtrlDelete
- CtrlGet
- CtrlHead
- CtrlOptions
- CtrlPatch
- CtrlPost
- CtrlPut
- Date
- DateFormat
- DateParse
- Delete
- Exception
- ExecuteTemplate
- ExecuteViewPathTemplate
- FileSystem.Open
- FilterRouter.ValidRouter
- FlashData.Error
- FlashData.Notice
- FlashData.Set
- FlashData.Store
- FlashData.Success
- FlashData.Warning
- Get
- GetConfig
- HTML2str
- Handler
- Head
- Htmlquote
- Htmlunquote
- HttpServer.Any
- HttpServer.AutoPrefix
- HttpServer.AutoRouter
- HttpServer.CtrlAny
- HttpServer.CtrlDelete
- HttpServer.CtrlGet
- HttpServer.CtrlHead
- HttpServer.CtrlOptions
- HttpServer.CtrlPatch
- HttpServer.CtrlPost
- HttpServer.CtrlPut
- HttpServer.Delete
- HttpServer.Get
- HttpServer.Handler
- HttpServer.Head
- HttpServer.Include
- HttpServer.InsertFilter
- HttpServer.LogAccess
- HttpServer.Options
- HttpServer.Patch
- HttpServer.Post
- HttpServer.PrintTree
- HttpServer.Put
- HttpServer.RESTRouter
- HttpServer.Router
- HttpServer.RouterWithOpts
- HttpServer.Run
- Include
- InitBeegoBeforeTest
- InsertFilter
- LoadAppConfig
- LogAccess
- MapGet
- Namespace.Any
- Namespace.AutoPrefix
- Namespace.AutoRouter
- Namespace.Cond
- Namespace.CtrlAny
- Namespace.CtrlDelete
- Namespace.CtrlGet
- Namespace.CtrlHead
- Namespace.CtrlOptions
- Namespace.CtrlPatch
- Namespace.CtrlPost
- Namespace.CtrlPut
- Namespace.Delete
- Namespace.Filter
- Namespace.Get
- Namespace.Handler
- Namespace.Head
- Namespace.Include
- Namespace.Namespace
- Namespace.Options
- Namespace.Patch
- Namespace.Post
- Namespace.Put
- Namespace.Router
- NewControllerRegister
- NewControllerRegisterWithCfg
- NewHttpServerWithCfg
- NewHttpSever
- NewNamespace
- NotNil
- Options
- ParseForm
- Patch
- Policy
- Post
- PrintTree
- Put
- RESTRouter
- ReadFromRequest
- RenderForm
- Router
- RouterWithOpts
- Run
- RunWithMiddleWares
- TestBeegoInit
- Tree.AddRouter
- Tree.AddTree
- URLFor
- URLMap.GetMap
- URLMap.GetMapData
- Walk
- adminApp.Run
- adminController.AdminIndex
- adminController.Healthcheck
- adminController.ListConf
- adminController.ProfIndex
- adminController.PrometheusMetrics
- adminController.QpsIndex
- adminController.TaskStatus
- beegoAppConfig.Bool
- beegoAppConfig.DefaultBool
summary: Path traversal in github.com/beego/beego and beego/v2
description: |-
The leafInfo.match() function uses path.join() to deal with wildcard values
which can lead to cross directory risk.
published: 2022-08-23T13:24:17Z
cves:
- CVE-2022-31836
ghsas:
- GHSA-95f9-94vc-665h
references:
- fix: https://github.com/beego/beego/pull/5025
- fix: https://github.com/beego/beego/pull/5025/commits/ea5ae58d40589d249cf577a053e490509de2bf57