x/vulndb: potential Go vuln in github.com/beego/beego/v2: GHSA-r6qh-j42j-pw64

[GoVulnBot]

Advisory GHSA-r6qh-j42j-pw64 references a vulnerability in the following Go modules:

Module
github.com/beego/beego
github.com/beego/beego/v2

Description: An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the sendMail function located in the beego/core/logs/smtp.go file.

References:

• ADVISORY: https://github.com/advisories/GHSA-r6qh-j42j-pw64
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-40464
• FIX: https://github.com/beego/beego/commit/8f89e12e6cafb106d5c201dbc3b2a338bfde74e2
• WEB: https://gist.github.com/nyxfqq/b53b0148b9aa040de63f58a68fd11445
• WEB: https://github.com/beego/beego/security/advisories/GHSA-6g9p-wv47-4fxq

Cross references:

• github.com/beego/beego appears in 5 other report(s):
  • data/excluded/GO-2022-0575.yaml (https://github.com/golang/vulndb/issues/575) NOT_A_VULNERABILITY
  • data/excluded/GO-2022-0598.yaml (https://github.com/golang/vulndb/issues/598) NOT_A_VULNERABILITY
  • data/reports/GO-2022-0463.yaml (https://github.com/golang/vulndb/issues/463)
  • data/reports/GO-2022-0569.yaml (https://github.com/golang/vulndb/issues/569)
  • data/reports/GO-2022-0572.yaml (https://github.com/golang/vulndb/issues/572)
• github.com/beego/beego/v2 appears in 4 other report(s):
  • data/excluded/GO-2022-0935.yaml (https://github.com/golang/vulndb/issues/935) NOT_IMPORTABLE
  • data/reports/GO-2022-0463.yaml (https://github.com/golang/vulndb/issues/463)
  • data/reports/GO-2022-0569.yaml (https://github.com/golang/vulndb/issues/569)
  • data/reports/GO-2022-0572.yaml (https://github.com/golang/vulndb/issues/572)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/beego/beego
      vulnerable_at: 1.12.12
    - module: github.com/beego/beego/v2
      versions:
        - fixed: 2.2.1
      vulnerable_at: 2.2.0
summary: Beego privilege escalation vulnerability in github.com/beego/beego
cves:
    - CVE-2024-40464
ghsas:
    - GHSA-r6qh-j42j-pw64
references:
    - advisory: https://github.com/advisories/GHSA-r6qh-j42j-pw64
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40464
    - fix: https://github.com/beego/beego/commit/8f89e12e6cafb106d5c201dbc3b2a338bfde74e2
    - web: https://gist.github.com/nyxfqq/b53b0148b9aa040de63f58a68fd11445
    - web: https://github.com/beego/beego/security/advisories/GHSA-6g9p-wv47-4fxq
source:
    id: GHSA-r6qh-j42j-pw64
    created: 2024-08-01T14:01:18.509844175Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/606775 mentions this issue: data/reports: add 4 reports