blob: b4352f9b9cb55fe5cd5a9189a7f19ccb26914015 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0572",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-08-22T17:56:17Z",
"aliases": [
"CVE-2021-30080",
"GHSA-28r6-jm5h-mrgg"
],
"summary": "Access control bypass via incorrect route lookup in github.com/beego/beego and beego/v2",
"details": "An issue was discovered in the route lookup process in beego which attackers to bypass access control.",
"affected": [
{
"package": {
"name": "github.com/astaxie/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/astaxie/beego",
"symbols": [
"App.Run",
"ControllerRegister.FindPolicy",
"ControllerRegister.FindRouter",
"ControllerRegister.ServeHTTP",
"FilterRouter.ValidRouter",
"InitBeegoBeforeTest",
"Run",
"RunWithMiddleWares",
"TestBeegoInit",
"Tree.Match",
"adminApp.Run"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego",
"symbols": [
"App.Run",
"ControllerRegister.FindPolicy",
"ControllerRegister.FindRouter",
"ControllerRegister.ServeHTTP",
"FilterRouter.ValidRouter",
"InitBeegoBeforeTest",
"Run",
"RunWithMiddleWares",
"TestBeegoInit",
"Tree.Match",
"adminApp.Run"
]
}
]
}
},
{
"package": {
"name": "github.com/beego/beego/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/beego/beego/v2/server/web",
"symbols": [
"AddNamespace",
"AddViewPath",
"Any",
"AutoPrefix",
"AutoRouter",
"BuildTemplate",
"Compare",
"CompareNot",
"Controller.Abort",
"Controller.CheckXSRFCookie",
"Controller.CustomAbort",
"Controller.Delete",
"Controller.DestroySession",
"Controller.Get",
"Controller.GetBool",
"Controller.GetFile",
"Controller.GetFloat",
"Controller.GetInt",
"Controller.GetInt16",
"Controller.GetInt32",
"Controller.GetInt64",
"Controller.GetInt8",
"Controller.GetSecureCookie",
"Controller.GetString",
"Controller.GetStrings",
"Controller.GetUint16",
"Controller.GetUint32",
"Controller.GetUint64",
"Controller.GetUint8",
"Controller.Head",
"Controller.Input",
"Controller.IsAjax",
"Controller.Options",
"Controller.ParseForm",
"Controller.Patch",
"Controller.Post",
"Controller.Put",
"Controller.Redirect",
"Controller.Render",
"Controller.RenderBytes",
"Controller.RenderString",
"Controller.SaveToFile",
"Controller.ServeFormatted",
"Controller.ServeJSON",
"Controller.ServeJSONP",
"Controller.ServeXML",
"Controller.ServeYAML",
"Controller.SessionRegenerateID",
"Controller.SetData",
"Controller.SetSecureCookie",
"Controller.Trace",
"Controller.URLFor",
"Controller.XSRFFormHTML",
"Controller.XSRFToken",
"ControllerRegister.Add",
"ControllerRegister.AddAuto",
"ControllerRegister.AddAutoPrefix",
"ControllerRegister.AddMethod",
"ControllerRegister.Any",
"ControllerRegister.Delete",
"ControllerRegister.FindPolicy",
"ControllerRegister.FindRouter",
"ControllerRegister.Get",
"ControllerRegister.GetContext",
"ControllerRegister.Handler",
"ControllerRegister.Head",
"ControllerRegister.Include",
"ControllerRegister.InsertFilter",
"ControllerRegister.InsertFilterChain",
"ControllerRegister.Options",
"ControllerRegister.Patch",
"ControllerRegister.Post",
"ControllerRegister.Put",
"ControllerRegister.ServeHTTP",
"ControllerRegister.URLFor",
"Date",
"DateFormat",
"DateParse",
"Delete",
"Exception",
"ExecuteTemplate",
"ExecuteViewPathTemplate",
"FileSystem.Open",
"FilterRouter.ValidRouter",
"FlashData.Error",
"FlashData.Notice",
"FlashData.Set",
"FlashData.Store",
"FlashData.Success",
"FlashData.Warning",
"Get",
"GetConfig",
"HTML2str",
"Handler",
"Head",
"Htmlquote",
"Htmlunquote",
"HttpServer.Any",
"HttpServer.AutoPrefix",
"HttpServer.AutoRouter",
"HttpServer.Delete",
"HttpServer.Get",
"HttpServer.Handler",
"HttpServer.Head",
"HttpServer.Include",
"HttpServer.InsertFilter",
"HttpServer.InsertFilterChain",
"HttpServer.LogAccess",
"HttpServer.Options",
"HttpServer.Patch",
"HttpServer.Post",
"HttpServer.PrintTree",
"HttpServer.Put",
"HttpServer.RESTRouter",
"HttpServer.Router",
"HttpServer.Run",
"Include",
"InitBeegoBeforeTest",
"InsertFilter",
"InsertFilterChain",
"LoadAppConfig",
"LogAccess",
"MapGet",
"Namespace.Any",
"Namespace.AutoPrefix",
"Namespace.AutoRouter",
"Namespace.Cond",
"Namespace.Delete",
"Namespace.Filter",
"Namespace.Get",
"Namespace.Handler",
"Namespace.Head",
"Namespace.Include",
"Namespace.Namespace",
"Namespace.Options",
"Namespace.Patch",
"Namespace.Post",
"Namespace.Put",
"Namespace.Router",
"NewControllerRegister",
"NewControllerRegisterWithCfg",
"NewHttpServerWithCfg",
"NewHttpSever",
"NewNamespace",
"NotNil",
"Options",
"ParseForm",
"Patch",
"Policy",
"Post",
"PrintTree",
"Put",
"RESTRouter",
"ReadFromRequest",
"RenderForm",
"Router",
"Run",
"RunWithMiddleWares",
"TestBeegoInit",
"Tree.AddRouter",
"Tree.AddTree",
"Tree.Match",
"URLFor",
"URLMap.GetMap",
"URLMap.GetMapData",
"Walk",
"adminApp.Run",
"adminController.AdminIndex",
"adminController.Healthcheck",
"adminController.ListConf",
"adminController.ProfIndex",
"adminController.PrometheusMetrics",
"adminController.QpsIndex",
"adminController.TaskStatus",
"beegoAppConfig.Bool",
"beegoAppConfig.DefaultBool",
"beegoAppConfig.SaveConfigFile",
"beegoAppConfig.Unmarshaler"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/beego/beego/pull/4459"
},
{
"type": "FIX",
"url": "https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b95226519"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0572",
"review_status": "REVIEWED"
}
}