GHSA-qx32-f6g6-fcfr

Suggest an improvement
Source
https://github.com/advisories/GHSA-qx32-f6g6-fcfr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qx32-f6g6-fcfr/GHSA-qx32-f6g6-fcfr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qx32-f6g6-fcfr
Aliases
Published
2022-05-22T00:00:32Z
Modified
2023-11-08T04:09:30.053629Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Access control bypass in beego
Details

The route lookup process in beego prior to 1.12.9 and 2.x prior to 2.0.3 allows attackers to bypass access control. When a /p1/p2/:name route is configured, attackers can access it by appending .xml in various places (e.g., p1.xml instead of p1).

References

Affected packages

Go / github.com/beego/beego/v2

Package

Name
github.com/beego/beego/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/beego/beego/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3

Go / github.com/beego/beego

Package

Name
github.com/beego/beego
View open source insights on deps.dev
Purl
pkg:golang/github.com/beego/beego

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.9