Vulnerability Report: GO-2022-0463

Affected Packages

• Path
  Versions
  Symbols
• github.com/astaxie/beego
  all versions, no known fixed
  10 affected symbols

  • App.Run
  • ControllerRegister.FindPolicy
  • ControllerRegister.FindRouter
  • ControllerRegister.ServeHTTP
  • FilterRouter.ValidRouter
  • InitBeegoBeforeTest
  • Run
  • RunWithMiddleWares
  • TestBeegoInit
  • Tree.Match
• github.com/beego/beego
  before v1.12.9
  10 affected symbols

  • App.Run
  • ControllerRegister.FindPolicy
  • ControllerRegister.FindRouter
  • ControllerRegister.ServeHTTP
  • FilterRouter.ValidRouter
  • InitBeegoBeforeTest
  • Run
  • RunWithMiddleWares
  • TestBeegoInit
  • Tree.Match
• github.com/beego/beego/v2/server/web
  before v2.0.3
  210 affected symbols

  • AddNamespace
  • AddViewPath
  • Any
  • AutoPrefix
  • AutoRouter
  • BuildTemplate
  • Compare
  • CompareNot
  • Controller.Abort
  • Controller.Bind
  • Controller.BindForm
  • Controller.BindJSON
  • Controller.BindProtobuf
  • Controller.BindXML
  • Controller.BindYAML
  • Controller.CheckXSRFCookie
  • Controller.CustomAbort
  • Controller.Delete
  • Controller.DestroySession
  • Controller.Get
  • Controller.GetBool
  • Controller.GetFile
  • Controller.GetFloat
  • Controller.GetInt
  • Controller.GetInt16
  • Controller.GetInt32
  • Controller.GetInt64
  • Controller.GetInt8
  • Controller.GetSecureCookie
  • Controller.GetString
  • Controller.GetStrings
  • Controller.GetUint16
  • Controller.GetUint32
  • Controller.GetUint64
  • Controller.GetUint8
  • Controller.Head
  • Controller.Input
  • Controller.IsAjax
  • Controller.JSONResp
  • Controller.Options
  • Controller.ParseForm
  • Controller.Patch
  • Controller.Post
  • Controller.Put
  • Controller.Redirect
  • Controller.Render
  • Controller.RenderBytes
  • Controller.RenderString
  • Controller.Resp
  • Controller.SaveToFile
  • Controller.SaveToFileWithBuffer
  • Controller.ServeFormatted
  • Controller.ServeJSON
  • Controller.ServeJSONP
  • Controller.ServeXML
  • Controller.ServeYAML
  • Controller.SessionRegenerateID
  • Controller.SetData
  • Controller.SetSecureCookie
  • Controller.Trace
  • Controller.URLFor
  • Controller.XMLResp
  • Controller.XSRFFormHTML
  • Controller.XSRFToken
  • Controller.YamlResp
  • ControllerRegister.Add
  • ControllerRegister.AddAuto
  • ControllerRegister.AddAutoPrefix
  • ControllerRegister.AddMethod
  • ControllerRegister.AddRouterMethod
  • ControllerRegister.Any
  • ControllerRegister.CtrlAny
  • ControllerRegister.CtrlDelete
  • ControllerRegister.CtrlGet
  • ControllerRegister.CtrlHead
  • ControllerRegister.CtrlOptions
  • ControllerRegister.CtrlPatch
  • ControllerRegister.CtrlPost
  • ControllerRegister.CtrlPut
  • ControllerRegister.Delete
  • ControllerRegister.FindPolicy
  • ControllerRegister.FindRouter
  • ControllerRegister.Get
  • ControllerRegister.GetContext
  • ControllerRegister.Handler
  • ControllerRegister.Head
  • ControllerRegister.Include
  • ControllerRegister.Init
  • ControllerRegister.InsertFilter
  • ControllerRegister.Options
  • ControllerRegister.Patch
  • ControllerRegister.Post
  • ControllerRegister.Put
  • ControllerRegister.ServeHTTP
  • ControllerRegister.URLFor
  • CtrlAny
  • CtrlDelete
  • CtrlGet
  • CtrlHead
  • CtrlOptions
  • CtrlPatch
  • CtrlPost
  • CtrlPut
  • Date
  • DateFormat
  • DateParse
  • Delete
  • Exception
  • ExecuteTemplate
  • ExecuteViewPathTemplate
  • FileSystem.Open
  • FilterRouter.ValidRouter
  • FlashData.Error
  • FlashData.Notice
  • FlashData.Set
  • FlashData.Store
  • FlashData.Success
  • FlashData.Warning
  • Get
  • GetConfig
  • HTML2str
  • Handler
  • Head
  • Htmlquote
  • Htmlunquote
  • HttpServer.Any
  • HttpServer.AutoPrefix
  • HttpServer.AutoRouter
  • HttpServer.CtrlAny
  • HttpServer.CtrlDelete
  • HttpServer.CtrlGet
  • HttpServer.CtrlHead
  • HttpServer.CtrlOptions
  • HttpServer.CtrlPatch
  • HttpServer.CtrlPost
  • HttpServer.CtrlPut
  • HttpServer.Delete
  • HttpServer.Get
  • HttpServer.Handler
  • HttpServer.Head
  • HttpServer.Include
  • HttpServer.InsertFilter
  • HttpServer.LogAccess
  • HttpServer.Options
  • HttpServer.Patch
  • HttpServer.Post
  • HttpServer.PrintTree
  • HttpServer.Put
  • HttpServer.RESTRouter
  • HttpServer.Router
  • HttpServer.RouterWithOpts
  • HttpServer.Run
  • Include
  • InitBeegoBeforeTest
  • InsertFilter
  • LoadAppConfig
  • LogAccess
  • MapGet
  • Namespace.Any
  • Namespace.AutoPrefix
  • Namespace.AutoRouter
  • Namespace.Cond
  • Namespace.CtrlAny
  • Namespace.CtrlDelete
  • Namespace.CtrlGet
  • Namespace.CtrlHead
  • Namespace.CtrlOptions
  • Namespace.CtrlPatch
  • Namespace.CtrlPost
  • Namespace.CtrlPut
  • Namespace.Delete
  • Namespace.Filter
  • Namespace.Get
  • Namespace.Handler
  • Namespace.Head
  • Namespace.Include
  • Namespace.Namespace
  • Namespace.Options
  • Namespace.Patch
  • Namespace.Post
  • Namespace.Put
  • Namespace.Router
  • NewControllerRegister
  • NewControllerRegisterWithCfg
  • NewHttpServerWithCfg
  • NewHttpSever
  • NewNamespace
  • NotNil
  • Options
  • ParseForm
  • Patch
  • Policy
  • Post
  • PrintTree
  • Put
  • RESTRouter
  • ReadFromRequest
  • RenderForm
  • Router
  • RouterWithOpts
  • Run
  • RunWithMiddleWares
  • TestBeegoInit
  • Tree.AddRouter
  • Tree.AddTree
  • Tree.Match
  • URLFor
  • URLMap.GetMap
  • URLMap.GetMapData
  • Walk

Aliases

• CVE-2022-31259
• GHSA-qx32-f6g6-fcfr

References

• https://github.com/beego/beego/pull/4958
• https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd
• https://beego.vip
• https://github.com/beego/beego/issues/4946
• https://github.com/beego/beego/pull/4954
• https://vuln.go.dev/ID/GO-2022-0463.json

Feedback