blob: 3d7a365b4c72848d7355d84b7023e67eaedf5338 [file] [log] [blame]
id: GO-2022-0572
modules:
- module: github.com/astaxie/beego
vulnerable_at: 1.12.3
packages:
- package: github.com/astaxie/beego
symbols:
- Tree.Match
derived_symbols:
- App.Run
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.ServeHTTP
- FilterRouter.ValidRouter
- InitBeegoBeforeTest
- Run
- RunWithMiddleWares
- TestBeegoInit
- adminApp.Run
- module: github.com/beego/beego
vulnerable_at: 1.12.11
packages:
- package: github.com/beego/beego
symbols:
- Tree.Match
derived_symbols:
- App.Run
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.ServeHTTP
- FilterRouter.ValidRouter
- InitBeegoBeforeTest
- Run
- RunWithMiddleWares
- TestBeegoInit
- adminApp.Run
- module: github.com/beego/beego/v2
versions:
- introduced: 2.0.0
fixed: 2.0.3
vulnerable_at: 2.0.1
packages:
- package: github.com/beego/beego/v2/server/web
symbols:
- Tree.Match
derived_symbols:
- AddNamespace
- AddViewPath
- Any
- AutoPrefix
- AutoRouter
- BuildTemplate
- Compare
- CompareNot
- Controller.Abort
- Controller.CheckXSRFCookie
- Controller.CustomAbort
- Controller.Delete
- Controller.DestroySession
- Controller.Get
- Controller.GetBool
- Controller.GetFile
- Controller.GetFloat
- Controller.GetInt
- Controller.GetInt16
- Controller.GetInt32
- Controller.GetInt64
- Controller.GetInt8
- Controller.GetSecureCookie
- Controller.GetString
- Controller.GetStrings
- Controller.GetUint16
- Controller.GetUint32
- Controller.GetUint64
- Controller.GetUint8
- Controller.Head
- Controller.Input
- Controller.IsAjax
- Controller.Options
- Controller.ParseForm
- Controller.Patch
- Controller.Post
- Controller.Put
- Controller.Redirect
- Controller.Render
- Controller.RenderBytes
- Controller.RenderString
- Controller.SaveToFile
- Controller.ServeFormatted
- Controller.ServeJSON
- Controller.ServeJSONP
- Controller.ServeXML
- Controller.ServeYAML
- Controller.SessionRegenerateID
- Controller.SetData
- Controller.SetSecureCookie
- Controller.Trace
- Controller.URLFor
- Controller.XSRFFormHTML
- Controller.XSRFToken
- ControllerRegister.Add
- ControllerRegister.AddAuto
- ControllerRegister.AddAutoPrefix
- ControllerRegister.AddMethod
- ControllerRegister.Any
- ControllerRegister.Delete
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.Get
- ControllerRegister.GetContext
- ControllerRegister.Handler
- ControllerRegister.Head
- ControllerRegister.Include
- ControllerRegister.InsertFilter
- ControllerRegister.InsertFilterChain
- ControllerRegister.Options
- ControllerRegister.Patch
- ControllerRegister.Post
- ControllerRegister.Put
- ControllerRegister.ServeHTTP
- ControllerRegister.URLFor
- Date
- DateFormat
- DateParse
- Delete
- Exception
- ExecuteTemplate
- ExecuteViewPathTemplate
- FileSystem.Open
- FilterRouter.ValidRouter
- FlashData.Error
- FlashData.Notice
- FlashData.Set
- FlashData.Store
- FlashData.Success
- FlashData.Warning
- Get
- GetConfig
- HTML2str
- Handler
- Head
- Htmlquote
- Htmlunquote
- HttpServer.Any
- HttpServer.AutoPrefix
- HttpServer.AutoRouter
- HttpServer.Delete
- HttpServer.Get
- HttpServer.Handler
- HttpServer.Head
- HttpServer.Include
- HttpServer.InsertFilter
- HttpServer.InsertFilterChain
- HttpServer.LogAccess
- HttpServer.Options
- HttpServer.Patch
- HttpServer.Post
- HttpServer.PrintTree
- HttpServer.Put
- HttpServer.RESTRouter
- HttpServer.Router
- HttpServer.Run
- Include
- InitBeegoBeforeTest
- InsertFilter
- InsertFilterChain
- LoadAppConfig
- LogAccess
- MapGet
- Namespace.Any
- Namespace.AutoPrefix
- Namespace.AutoRouter
- Namespace.Cond
- Namespace.Delete
- Namespace.Filter
- Namespace.Get
- Namespace.Handler
- Namespace.Head
- Namespace.Include
- Namespace.Namespace
- Namespace.Options
- Namespace.Patch
- Namespace.Post
- Namespace.Put
- Namespace.Router
- NewControllerRegister
- NewControllerRegisterWithCfg
- NewHttpServerWithCfg
- NewHttpSever
- NewNamespace
- NotNil
- Options
- ParseForm
- Patch
- Policy
- Post
- PrintTree
- Put
- RESTRouter
- ReadFromRequest
- RenderForm
- Router
- Run
- RunWithMiddleWares
- TestBeegoInit
- Tree.AddRouter
- Tree.AddTree
- URLFor
- URLMap.GetMap
- URLMap.GetMapData
- Walk
- adminApp.Run
- adminController.AdminIndex
- adminController.Healthcheck
- adminController.ListConf
- adminController.ProfIndex
- adminController.PrometheusMetrics
- adminController.QpsIndex
- adminController.TaskStatus
- beegoAppConfig.Bool
- beegoAppConfig.DefaultBool
summary: |-
Access control bypass via incorrect route lookup in github.com/beego/beego and
beego/v2
description: |-
An issue was discovered in the route lookup process in beego which attackers to
bypass access control.
published: 2022-08-22T17:56:17Z
cves:
- CVE-2021-30080
ghsas:
- GHSA-28r6-jm5h-mrgg
references:
- fix: https://github.com/beego/beego/pull/4459
- fix: https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b95226519