The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/beego/beego | lt | 1.12.2 | |
github.com/astaxie/beego | lt | 1.12.2 |
github.com/astaxie/beego
github.com/astaxie/beego/blob/v1.12.2/session/sess_file.go#L142
github.com/astaxie/beego/commit/f99cbe0fa40936f2f8dd28e70620c559b6e5e2fd
github.com/astaxie/beego/issues/3763
github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1
github.com/beego/beego/issues/3763
github.com/beego/beego/pull/3975
github.com/beego/beego/pull/3975/commits/f99cbe0fa40936f2f8dd28e70620c559b6e5e2fd
nvd.nist.gov/vuln/detail/CVE-2019-16354
pkg.go.dev/vuln/GO-2021-0084