The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows attackers to bypass access control. When a /p1/p2/:name route is configured, attackers can access it by appending .xml in various places (e.g., p1.xml instead of p1).
References
Link | Resource |
---|---|
https://beego.vip | Product |
https://github.com/advisories/GHSA-qx32-f6g6-fcfr | |
https://github.com/beego/beego/issues/4946 | Exploit Issue Tracking Patch Third Party Advisory |
https://github.com/beego/beego/tree/v2.0.2 | Release Notes Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-05-21T00:00:00
Updated: 2023-02-17T00:00:00
Reserved: 2022-05-21T00:00:00
Link: CVE-2022-31259
JSON object: View
NVD Information
Status : Modified
Published: 2022-05-21T19:15:52.990
Modified: 2023-02-17T17:15:11.023
Link: CVE-2022-31259
JSON object: View
Redhat Information
No data.
CWE