x/vulndb: potential Go vuln in github.com/beego/beego/v2: GHSA-9j3m-fr7q-jxfw

[GoVulnBot]

Advisory GHSA-9j3m-fr7q-jxfw references a vulnerability in the following Go modules:

Module
github.com/beego/beego
github.com/beego/beego/v2

Description:
In the context of using MD5 to generate filenames for cache keys, there are significant collision hazards that need to be considered. MD5, or Message Digest Algorithm 5, is a widely known cryptographic hash function that produces a 128-bit hash value. However, MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks.

Understanding Collisions

A collision in hashing occurs when two different inputs produce the same hash output. For MD5, this means that it is theoretically possible, and even practical, to find two distinct cache keys that...

References:

• ADVISORY: GHSA-9j3m-fr7q-jxfw
• ADVISORY: GHSA-9j3m-fr7q-jxfw
• FIX: beego/beego@e7fa483

Cross references:

• github.com/beego/beego appears in 5 other report(s):
  • data/excluded/GO-2022-0575.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: GHSA-2v6v-q994-xvxx #575) NOT_A_VULNERABILITY
  • data/excluded/GO-2022-0598.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: GHSA-ffjp-66mx-3qpj #598) NOT_A_VULNERABILITY
  • data/reports/GO-2022-0463.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: CVE-2022-31259 #463)
  • data/reports/GO-2022-0569.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: GHSA-95f9-94vc-665h #569)
  • data/reports/GO-2022-0572.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: GHSA-28r6-jm5h-mrgg #572)
• github.com/beego/beego/v2 appears in 6 other report(s):
  • data/excluded/GO-2022-0935.yaml (x/vulndb: potential Go vuln in github.com/beego/beego/v2: CVE-2021-39391, GHSA-c77f-4rgj-jfr4 #935) NOT_IMPORTABLE
  • data/excluded/GO-2024-3017.yaml (x/vulndb: potential Go vuln in github.com/beego/beego/v2: GHSA-wr3p-r5fj-wf97 #3017) NOT_A_VULNERABILITY
  • data/reports/GO-2022-0463.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: CVE-2022-31259 #463)
  • data/reports/GO-2022-0569.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: GHSA-95f9-94vc-665h #569)
  • data/reports/GO-2022-0572.yaml (x/vulndb: potential Go vuln in github.com/beego/beego: GHSA-28r6-jm5h-mrgg #572)
  • data/reports/GO-2024-3016.yaml (x/vulndb: potential Go vuln in github.com/beego/beego/v2: GHSA-r6qh-j42j-pw64 #3016)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/beego/beego
      vulnerable_at: 1.12.14
    - module: github.com/beego/beego/v2
      versions:
        - fixed: 2.3.4
      vulnerable_at: 2.3.3
summary: Beego has Collision Hazards of MD5 in Cache Key Filenames in github.com/beego/beego
cves:
    - CVE-2024-55885
ghsas:
    - GHSA-9j3m-fr7q-jxfw
references:
    - advisory: https://github.com/advisories/GHSA-9j3m-fr7q-jxfw
    - advisory: https://github.com/beego/beego/security/advisories/GHSA-9j3m-fr7q-jxfw
    - fix: https://github.com/beego/beego/commit/e7fa4835f71f47ab1d13afd638cebf661800d5a4
source:
    id: GHSA-9j3m-fr7q-jxfw
    created: 2024-12-12T20:01:19.81495967Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/635760 mentions this issue: data/reports: add GO-2024-3331