Vulnerability Report: GO-2022-0572
- CVE-2021-30080, GHSA-28r6-jm5h-mrgg
- Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
- Published: Aug 22, 2022
- Modified: May 20, 2024
An issue was discovered in the route lookup process in beego which attackers to bypass access control.
Affected Packages
-
PathGo VersionsSymbols
-
all versions, no known fixed
-
all versions, no known fixed
-
from v2.0.0 before v2.0.3
166 affected symbols
- AddNamespace
- AddViewPath
- Any
- AutoPrefix
- AutoRouter
- BuildTemplate
- Compare
- CompareNot
- Controller.Abort
- Controller.CheckXSRFCookie
- Controller.CustomAbort
- Controller.Delete
- Controller.DestroySession
- Controller.Get
- Controller.GetBool
- Controller.GetFile
- Controller.GetFloat
- Controller.GetInt
- Controller.GetInt16
- Controller.GetInt32
- Controller.GetInt64
- Controller.GetInt8
- Controller.GetSecureCookie
- Controller.GetString
- Controller.GetStrings
- Controller.GetUint16
- Controller.GetUint32
- Controller.GetUint64
- Controller.GetUint8
- Controller.Head
- Controller.Input
- Controller.IsAjax
- Controller.Options
- Controller.ParseForm
- Controller.Patch
- Controller.Post
- Controller.Put
- Controller.Redirect
- Controller.Render
- Controller.RenderBytes
- Controller.RenderString
- Controller.SaveToFile
- Controller.ServeFormatted
- Controller.ServeJSON
- Controller.ServeJSONP
- Controller.ServeXML
- Controller.ServeYAML
- Controller.SessionRegenerateID
- Controller.SetData
- Controller.SetSecureCookie
- Controller.Trace
- Controller.URLFor
- Controller.XSRFFormHTML
- Controller.XSRFToken
- ControllerRegister.Add
- ControllerRegister.AddAuto
- ControllerRegister.AddAutoPrefix
- ControllerRegister.AddMethod
- ControllerRegister.Any
- ControllerRegister.Delete
- ControllerRegister.FindPolicy
- ControllerRegister.FindRouter
- ControllerRegister.Get
- ControllerRegister.GetContext
- ControllerRegister.Handler
- ControllerRegister.Head
- ControllerRegister.Include
- ControllerRegister.InsertFilter
- ControllerRegister.InsertFilterChain
- ControllerRegister.Options
- ControllerRegister.Patch
- ControllerRegister.Post
- ControllerRegister.Put
- ControllerRegister.ServeHTTP
- ControllerRegister.URLFor
- Date
- DateFormat
- DateParse
- Delete
- Exception
- ExecuteTemplate
- ExecuteViewPathTemplate
- FileSystem.Open
- FilterRouter.ValidRouter
- FlashData.Error
- FlashData.Notice
- FlashData.Set
- FlashData.Store
- FlashData.Success
- FlashData.Warning
- Get
- GetConfig
- HTML2str
- Handler
- Head
- Htmlquote
- Htmlunquote
- HttpServer.Any
- HttpServer.AutoPrefix
- HttpServer.AutoRouter
- HttpServer.Delete
- HttpServer.Get
- HttpServer.Handler
- HttpServer.Head
- HttpServer.Include
- HttpServer.InsertFilter
- HttpServer.InsertFilterChain
- HttpServer.LogAccess
- HttpServer.Options
- HttpServer.Patch
- HttpServer.Post
- HttpServer.PrintTree
- HttpServer.Put
- HttpServer.RESTRouter
- HttpServer.Router
- HttpServer.Run
- Include
- InitBeegoBeforeTest
- InsertFilter
- InsertFilterChain
- LoadAppConfig
- LogAccess
- MapGet
- Namespace.Any
- Namespace.AutoPrefix
- Namespace.AutoRouter
- Namespace.Cond
- Namespace.Delete
- Namespace.Filter
- Namespace.Get
- Namespace.Handler
- Namespace.Head
- Namespace.Include
- Namespace.Namespace
- Namespace.Options
- Namespace.Patch
- Namespace.Post
- Namespace.Put
- Namespace.Router
- NewControllerRegister
- NewControllerRegisterWithCfg
- NewHttpServerWithCfg
- NewHttpSever
- NewNamespace
- NotNil
- Options
- ParseForm
- Patch
- Policy
- Post
- PrintTree
- Put
- RESTRouter
- ReadFromRequest
- RenderForm
- Router
- Run
- RunWithMiddleWares
- TestBeegoInit
- Tree.AddRouter
- Tree.AddTree
- Tree.Match
- URLFor
- URLMap.GetMap
- URLMap.GetMapData
- Walk
Aliases
References
- https://github.com/beego/beego/pull/4459
- https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b95226519
- https://vuln.go.dev/ID/GO-2022-0572.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.