Vulnerability Report: GO-2022-0463
- CVE-2022-31259, GHSA-qx32-f6g6-fcfr
- Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
- Published: Jul 01, 2022
- Modified: Jun 03, 2024
Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls. For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/". This may bypass access control applied to the prefix "/a/".
Affected Packages
-
PathGo VersionsSymbols
-
all versions, no known fixed
-
before v1.12.9
-
before v2.0.3
210 affected symbols
- AddNamespace
- AddViewPath
- Any
- AutoPrefix
- AutoRouter
- BuildTemplate
- Compare
- CompareNot
- Controller.Abort
- Controller.Bind
- Controller.BindForm
- Controller.BindJSON
- Controller.BindProtobuf
- Controller.BindXML
- Controller.BindYAML
- Controller.CheckXSRFCookie
- Controller.CustomAbort
- Controller.Delete
- Controller.DestroySession
- Controller.Get
- Controller.GetBool
- Controller.GetFile
- Controller.GetFloat
- Controller.GetInt
- Controller.GetInt16
- Controller.GetInt32
- Controller.GetInt64
- Controller.GetInt8
- Controller.GetSecureCookie
- Controller.GetString
- Controller.GetStrings
- Controller.GetUint16
- Controller.GetUint32
- Controller.GetUint64
- Controller.GetUint8
- Controller.Head
- Controller.Input
- Controller.IsAjax
- Controller.JSONResp
- Controller.Options
- Controller.ParseForm
- Controller.Patch
- Controller.Post
- Controller.Put
- Controller.Redirect
- Controller.Render
- Controller.RenderBytes
- Controller.RenderString
- Controller.Resp
- Controller.SaveToFile
- Controller.SaveToFileWithBuffer
- Controller.ServeFormatted
- Controller.ServeJSON
- Controller.ServeJSONP
- Controller.ServeXML
- Controller.ServeYAML
- Controller.SessionRegenerateID
- Controller.SetData
- Controller.SetSecureCookie
- Controller.Trace
- Controller.URLFor
- Controller.XMLResp
- Controller.XSRFFormHTML
- Controller.XSRFToken
- Controller.YamlResp
- ControllerRegister.Add
- ControllerRegister.AddAuto
- ControllerRegister.AddAutoPrefix
- ControllerRegister.AddMethod
- ControllerRegister.AddRouterMethod
- ControllerRegister.Any
- ControllerRegister.CtrlAny
- ControllerRegister.CtrlDelete
- ControllerRegister.CtrlGet
- ControllerRegister.CtrlHead
- ControllerRegister.CtrlOptions
- ControllerRegister.CtrlPatch
- ControllerRegister.CtrlPost
- ControllerRegister.CtrlPut
- ControllerRegister.Delete
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.Get
- ControllerRegister.GetContext
- ControllerRegister.Handler
- ControllerRegister.Head
- ControllerRegister.Include
- ControllerRegister.Init
- ControllerRegister.InsertFilter
- ControllerRegister.Options
- ControllerRegister.Patch
- ControllerRegister.Post
- ControllerRegister.Put
- ControllerRegister.ServeHTTP
- ControllerRegister.URLFor
- CtrlAny
- CtrlDelete
- CtrlGet
- CtrlHead
- CtrlOptions
- CtrlPatch
- CtrlPost
- CtrlPut
- Date
- DateFormat
- DateParse
- Delete
- Exception
- ExecuteTemplate
- ExecuteViewPathTemplate
- FileSystem.Open
- FilterRouter.ValidRouter
- FlashData.Error
- FlashData.Notice
- FlashData.Set
- FlashData.Store
- FlashData.Success
- FlashData.Warning
- Get
- GetConfig
- HTML2str
- Handler
- Head
- Htmlquote
- Htmlunquote
- HttpServer.Any
- HttpServer.AutoPrefix
- HttpServer.AutoRouter
- HttpServer.CtrlAny
- HttpServer.CtrlDelete
- HttpServer.CtrlGet
- HttpServer.CtrlHead
- HttpServer.CtrlOptions
- HttpServer.CtrlPatch
- HttpServer.CtrlPost
- HttpServer.CtrlPut
- HttpServer.Delete
- HttpServer.Get
- HttpServer.Handler
- HttpServer.Head
- HttpServer.Include
- HttpServer.InsertFilter
- HttpServer.LogAccess
- HttpServer.Options
- HttpServer.Patch
- HttpServer.Post
- HttpServer.PrintTree
- HttpServer.Put
- HttpServer.RESTRouter
- HttpServer.Router
- HttpServer.RouterWithOpts
- HttpServer.Run
- Include
- InitBeegoBeforeTest
- InsertFilter
- LoadAppConfig
- LogAccess
- MapGet
- Namespace.Any
- Namespace.AutoPrefix
- Namespace.AutoRouter
- Namespace.Cond
- Namespace.CtrlAny
- Namespace.CtrlDelete
- Namespace.CtrlGet
- Namespace.CtrlHead
- Namespace.CtrlOptions
- Namespace.CtrlPatch
- Namespace.CtrlPost
- Namespace.CtrlPut
- Namespace.Delete
- Namespace.Filter
- Namespace.Get
- Namespace.Handler
- Namespace.Head
- Namespace.Include
- Namespace.Namespace
- Namespace.Options
- Namespace.Patch
- Namespace.Post
- Namespace.Put
- Namespace.Router
- NewControllerRegister
- NewControllerRegisterWithCfg
- NewHttpServerWithCfg
- NewHttpSever
- NewNamespace
- NotNil
- Options
- ParseForm
- Patch
- Policy
- Post
- PrintTree
- Put
- RESTRouter
- ReadFromRequest
- RenderForm
- Router
- RouterWithOpts
- Run
- RunWithMiddleWares
- TestBeegoInit
- Tree.AddRouter
- Tree.AddTree
- Tree.Match
- URLFor
- URLMap.GetMap
- URLMap.GetMapData
- Walk
Aliases
References
- https://github.com/beego/beego/pull/4958
- https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd
- https://github.com/beego/beego/issues/4946
- https://github.com/beego/beego/pull/4954
- https://vuln.go.dev/ID/GO-2022-0463.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.