CVE-2021-27117: 
vulnerability analysis and mitigation

A symlink attack vulnerability was discovered in beego through version 2.0.2, specifically in the GetCPUProfile function within the profile.go file. The vulnerability was assigned CVE-2021-27117 and was publicly disclosed on April 5, 2022. The issue affects the beego framework's profile functionality, which does not properly validate file paths when creating profile files (Github Issue).

The vulnerability exists in the GetCPUProfile function within profile.go file. The function does not properly validate whether the created file exists before writing to it, allowing attackers to exploit symbolic links. This vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and a CVSS v2.0 score of 7.2 (HIGH) (NVD).

The vulnerability allows local attackers to launch symlink attacks, potentially leading to unauthorized file access and modification. Due to the improper file path validation, an attacker could manipulate symbolic links to write data to arbitrary locations, potentially compromising system integrity and confidentiality (Github Issue).

The vulnerability affects beego versions through 2.0.2. Users should upgrade to a patched version of the framework to address this security issue (NVD).