GitHub Advisory DatabaseGHSA-F6PX-W8RH-7R89Beego has a file creation race condition
1.9 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
5.1%
The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/astaxie/beego | lt | 1.12.2 | |
| github.com/beego/beego | lt | 1.12.2 |
References
github.com/advisories/GHSA-f6px-w8rh-7r89
github.com/astaxie/beego/blob/v1.12.2/session/sess_file.go#L142
github.com/astaxie/beego/commit/f99cbe0fa40936f2f8dd28e70620c559b6e5e2fd
github.com/astaxie/beego/issues/3763
github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
github.com/beego/beego/issues/3763
github.com/beego/beego/pull/3975
github.com/beego/beego/pull/3975/commits/f99cbe0fa40936f2f8dd28e70620c559b6e5e2fd
nvd.nist.gov/vuln/detail/CVE-2019-16354
pkg.go.dev/vuln/GO-2021-0084
Related
1.9 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
5.1%