CVE-2022-31259

Name of the Vulnerable Software and Affected Versions beego versions prior to 1.12.9 beego versions 2.x prior to 2.0.3

Description The route lookup process in beego allows attackers to bypass access control by appending .xml in various places when a route is configured. For example, when a /p1/p2/:name route is configured, attackers can access it by appending .xml, such as p1.xml instead of p1. This overly-broad matching may permit an attacker to bypass access controls, such as those applied to the prefix "/a/" when the pattern "/a/b/:name" can match the URL "/a.xml/b/".

Recommendations For beego versions prior to 1.12.9, update to version 1.12.9 or later. For beego versions 2.x prior to 2.0.3, update to version 2.0.3 or later. As a temporary workaround, consider restricting access to routes that use the :name parameter to minimize the risk of exploitation. Avoid using the :name parameter in routes until the issue is resolved.