GO-2022-0463

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2022-0463
Import Source
https://vuln.go.dev/ID/GO-2022-0463.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0463
Aliases
Published
2022-07-01T20:06:59Z
Modified
2024-06-03T20:51:31Z
Summary
Access control bypass due to broad route matching in github.com/beego/beego and beego/v2
Details

Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls.

For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/". This may bypass access control applied to the prefix "/a/".

Database specific 
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0463"
}
References

Affected packages

Go / github.com/astaxie/beego

Package

Name
github.com/astaxie/beego
View open source insights on deps.dev
Purl
pkg:golang/github.com/astaxie/beego

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/astaxie/beego",
            "symbols": [
                "App.Run",
                "ControllerRegister.FindPolicy",
                "ControllerRegister.FindRouter",
                "ControllerRegister.ServeHTTP",
                "FilterRouter.ValidRouter",
                "InitBeegoBeforeTest",
                "Run",
                "RunWithMiddleWares",
                "TestBeegoInit",
                "Tree.Match",
                "adminApp.Run"
            ]
        }
    ]
}

Go / github.com/beego/beego

Package

Name
github.com/beego/beego
View open source insights on deps.dev
Purl
pkg:golang/github.com/beego/beego

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.9

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/beego/beego",
            "symbols": [
                "App.Run",
                "ControllerRegister.FindPolicy",
                "ControllerRegister.FindRouter",
                "ControllerRegister.ServeHTTP",
                "FilterRouter.ValidRouter",
                "InitBeegoBeforeTest",
                "Run",
                "RunWithMiddleWares",
                "TestBeegoInit",
                "Tree.Match",
                "Tree.match",
                "adminApp.Run"
            ]
        }
    ]
}

Go / github.com/beego/beego/v2

Package

Name
github.com/beego/beego/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/beego/beego/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/beego/beego/v2/server/web",
            "symbols": [
                "AddNamespace",
                "AddViewPath",
                "Any",
                "AutoPrefix",
                "AutoRouter",
                "BuildTemplate",
                "Compare",
                "CompareNot",
                "Controller.Abort",
                "Controller.Bind",
                "Controller.BindForm",
                "Controller.BindJSON",
                "Controller.BindProtobuf",
                "Controller.BindXML",
                "Controller.BindYAML",
                "Controller.CheckXSRFCookie",
                "Controller.CustomAbort",
                "Controller.Delete",
                "Controller.DestroySession",
                "Controller.Get",
                "Controller.GetBool",
                "Controller.GetFile",
                "Controller.GetFloat",
                "Controller.GetInt",
                "Controller.GetInt16",
                "Controller.GetInt32",
                "Controller.GetInt64",
                "Controller.GetInt8",
                "Controller.GetSecureCookie",
                "Controller.GetString",
                "Controller.GetStrings",
                "Controller.GetUint16",
                "Controller.GetUint32",
                "Controller.GetUint64",
                "Controller.GetUint8",
                "Controller.Head",
                "Controller.Input",
                "Controller.IsAjax",
                "Controller.JSONResp",
                "Controller.Options",
                "Controller.ParseForm",
                "Controller.Patch",
                "Controller.Post",
                "Controller.Put",
                "Controller.Redirect",
                "Controller.Render",
                "Controller.RenderBytes",
                "Controller.RenderString",
                "Controller.Resp",
                "Controller.SaveToFile",
                "Controller.SaveToFileWithBuffer",
                "Controller.ServeFormatted",
                "Controller.ServeJSON",
                "Controller.ServeJSONP",
                "Controller.ServeXML",
                "Controller.ServeYAML",
                "Controller.SessionRegenerateID",
                "Controller.SetData",
                "Controller.SetSecureCookie",
                "Controller.Trace",
                "Controller.URLFor",
                "Controller.XMLResp",
                "Controller.XSRFFormHTML",
                "Controller.XSRFToken",
                "Controller.YamlResp",
                "ControllerRegister.Add",
                "ControllerRegister.AddAuto",
                "ControllerRegister.AddAutoPrefix",
                "ControllerRegister.AddMethod",
                "ControllerRegister.AddRouterMethod",
                "ControllerRegister.Any",
                "ControllerRegister.CtrlAny",
                "ControllerRegister.CtrlDelete",
                "ControllerRegister.CtrlGet",
                "ControllerRegister.CtrlHead",
                "ControllerRegister.CtrlOptions",
                "ControllerRegister.CtrlPatch",
                "ControllerRegister.CtrlPost",
                "ControllerRegister.CtrlPut",
                "ControllerRegister.Delete",
                "ControllerRegister.FindPolicy",
                "ControllerRegister.FindRouter",
                "ControllerRegister.Get",
                "ControllerRegister.GetContext",
                "ControllerRegister.Handler",
                "ControllerRegister.Head",
                "ControllerRegister.Include",
                "ControllerRegister.Init",
                "ControllerRegister.InsertFilter",
                "ControllerRegister.Options",
                "ControllerRegister.Patch",
                "ControllerRegister.Post",
                "ControllerRegister.Put",
                "ControllerRegister.ServeHTTP",
                "ControllerRegister.URLFor",
                "CtrlAny",
                "CtrlDelete",
                "CtrlGet",
                "CtrlHead",
                "CtrlOptions",
                "CtrlPatch",
                "CtrlPost",
                "CtrlPut",
                "Date",
                "DateFormat",
                "DateParse",
                "Delete",
                "Exception",
                "ExecuteTemplate",
                "ExecuteViewPathTemplate",
                "FileSystem.Open",
                "FilterRouter.ValidRouter",
                "FlashData.Error",
                "FlashData.Notice",
                "FlashData.Set",
                "FlashData.Store",
                "FlashData.Success",
                "FlashData.Warning",
                "Get",
                "GetConfig",
                "HTML2str",
                "Handler",
                "Head",
                "Htmlquote",
                "Htmlunquote",
                "HttpServer.Any",
                "HttpServer.AutoPrefix",
                "HttpServer.AutoRouter",
                "HttpServer.CtrlAny",
                "HttpServer.CtrlDelete",
                "HttpServer.CtrlGet",
                "HttpServer.CtrlHead",
                "HttpServer.CtrlOptions",
                "HttpServer.CtrlPatch",
                "HttpServer.CtrlPost",
                "HttpServer.CtrlPut",
                "HttpServer.Delete",
                "HttpServer.Get",
                "HttpServer.Handler",
                "HttpServer.Head",
                "HttpServer.Include",
                "HttpServer.InsertFilter",
                "HttpServer.LogAccess",
                "HttpServer.Options",
                "HttpServer.Patch",
                "HttpServer.Post",
                "HttpServer.PrintTree",
                "HttpServer.Put",
                "HttpServer.RESTRouter",
                "HttpServer.Router",
                "HttpServer.RouterWithOpts",
                "HttpServer.Run",
                "Include",
                "InitBeegoBeforeTest",
                "InsertFilter",
                "LoadAppConfig",
                "LogAccess",
                "MapGet",
                "Namespace.Any",
                "Namespace.AutoPrefix",
                "Namespace.AutoRouter",
                "Namespace.Cond",
                "Namespace.CtrlAny",
                "Namespace.CtrlDelete",
                "Namespace.CtrlGet",
                "Namespace.CtrlHead",
                "Namespace.CtrlOptions",
                "Namespace.CtrlPatch",
                "Namespace.CtrlPost",
                "Namespace.CtrlPut",
                "Namespace.Delete",
                "Namespace.Filter",
                "Namespace.Get",
                "Namespace.Handler",
                "Namespace.Head",
                "Namespace.Include",
                "Namespace.Namespace",
                "Namespace.Options",
                "Namespace.Patch",
                "Namespace.Post",
                "Namespace.Put",
                "Namespace.Router",
                "NewControllerRegister",
                "NewControllerRegisterWithCfg",
                "NewHttpServerWithCfg",
                "NewHttpSever",
                "NewNamespace",
                "NotNil",
                "Options",
                "ParseForm",
                "Patch",
                "Policy",
                "Post",
                "PrintTree",
                "Put",
                "RESTRouter",
                "ReadFromRequest",
                "RenderForm",
                "Router",
                "RouterWithOpts",
                "Run",
                "RunWithMiddleWares",
                "TestBeegoInit",
                "Tree.AddRouter",
                "Tree.AddTree",
                "Tree.Match",
                "Tree.match",
                "URLFor",
                "URLMap.GetMap",
                "URLMap.GetMapData",
                "Walk",
                "adminApp.Run",
                "adminController.AdminIndex",
                "adminController.Healthcheck",
                "adminController.ListConf",
                "adminController.ProfIndex",
                "adminController.PrometheusMetrics",
                "adminController.QpsIndex",
                "adminController.TaskStatus",
                "beegoAppConfig.Bool",
                "beegoAppConfig.DefaultBool",
                "beegoAppConfig.SaveConfigFile",
                "beegoAppConfig.Unmarshaler"
            ]
        }
    ]
}