PT-2022-9806 · Beego · Beego

Toptotuo

Published

2022-04-05

Updated

2022-04-12

CVE-2021-27116

CVSS v3.1

7.8

High

Vector

AC:L/AV:L/A:H/C:H/I:H/PR:L/S:U/UI:N

Name of the Vulnerable Software and Affected Versions beego versions through 2.0.2

Description An issue was discovered in the file profile.go, specifically in the MemProf function, which allows attackers to launch symlink attacks locally. This is due to the MemProf and GetCPUProfile functions not correctly checking whether the created file exists, enabling attackers to potentially escalate privileges.

Recommendations For beego versions through 2.0.2, consider disabling the MemProf and GetCPUProfile functions as a temporary workaround until a patch is available. Restrict access to the profile.go file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

CVE-2021-27116

GHSA-FFJP-66MX-3QPJ

Affected Products

Beego

PT-2022-9806 · Beego · Beego

CVE-2021-27116

Weakness Enumeration

Related Identifiers

Affected Products

References · 7