CVE-2021-27116: Privilege escalation in beego
7.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.37771%
CWE
Published
4/6/2022
Updated
1/27/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/beego/beego/v2 | go | >= 2.0.0, < 2.0.2 | 2.0.2 |
github.com/beego/beego | go | < 2.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- Multiple sources (CVE description, GHSA advisory, and GitHub issue #4484) explicitly name MemProf and GetCPUProfile as vulnerable functions.
- The vulnerability pattern matches CWE-59 (symlink attacks) which occurs when creating files without proper existence checks.
- The provided PoC demonstrates how writing to a symlinked file could overwrite protected files through these profiling functions.
- Both functions handle profile file creation in the vulnerable versions without adequate safeguards against existing symlinks.