Miggo Logo
Miggo Vulnerability Database
CVE-2019-16355

CVE-2019-16355: Incorrect Default Permissions in Beego

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-16355
GHSA ID
GHSA-hf4p-4j9r-3cvx
EPSS Score
0.12695%
CWE
CWE-276
Published
5/24/2022
Updated
4/22/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/beego/beegogo< 1.12.21.12.2
github.com/astaxie/beegogo< 1.12.21.12.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from directory creation with insecure 0777 permissions in session management. The commit f99cbe0 shows these functions were patched by changing permissions from 0777 to 0755. Both functions handle session storage directory creation, and the original 0777 mode allowed any local user to read session files. The CWE-276 mapping confirms this is an incorrect default permissions issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *il* S*ssion M*n***r in ****o ***or* *.**.* *llows lo**l us*rs to r*** s*ssion *il*s ****us* o* w**k p*rmissions *or in*ivi*u*l *il*s.

Reasoning

T** vuln*r**ility st*ms *rom *ir**tory *r**tion wit* ins**ur* **** p*rmissions in s*ssion m*n***m*nt. T** *ommit ******* s*ows t**s* *un*tions w*r* p*t**** *y ***n*in* p*rmissions *rom **** to ****. *ot* *un*tions **n*l* s*ssion stor*** *ir**tory *r*
CVE-2019-16355: Beego Session Local PrivEsc | Miggo