VYPR
← All advisories
High severityNVD Advisory· Published Jul 31, 2024· Updated Aug 6, 2024

CVE-2024-40464

CVE-2024-40464

Description

An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the sendMail function located in beego/core/logs/smtp.go file

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Beego v2.2.0 and earlier has missing SSL certificate validation in the sendMail function, allowing remote attackers to escalate privileges via man-in-the-middle attacks.

Vulnerability

Description

An issue in beego v2.2.0 and earlier allows a remote attacker to escalate privileges via the sendMail function located in beego/core/logs/smtp.go [1][2]. The root cause is missing SSL certificate validation (InsecureSkipVerify defaults to true) in the SMTP writer component, which means the TLS connection does not properly verify the server's certificate [1][3].

Exploitation

A remote attacker in a man-in-the-middle position can exploit this by intercepting SMTP traffic and impersonating the mail server without the connection being rejected [2]. The default configuration in affected versions sets InsecureSkipVerify to true, automatically trusting any certificate presented during the TLS handshake; a fix introducing an insecureSkipVerify configuration option was added in commit 8f89e12e6cafb106d5c201dbc3b2a338bfde74e2 [3].

Impact

Successful exploitation allows an attacker to intercept or modify email notifications sent by the beego application, potentially leading to privilege escalation [1][2]. This could result in disclosure of sensitive information or unauthorized actions if email is used for password resets, notifications, or authentication workflows.

Mitigation

Users should upgrade beego to a version that includes the fix (v2.2.1 or later) and configure the insecureSkipVerify option appropriately for production environments [1][3]. There is no evidence this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. Some security holes reported in the attach file
  2. CVE-2024-40464
  3. fix GHSA-6g9p-wv47-4fxq · beego/beego@8f89e12

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/beego/beego/v2Go
< 2.2.12.2.1

Affected products

28

Patches

1
8f89e12e6caf

fix GHSA-6g9p-wv47-4fxq

https://github.com/beego/beegoDeng MingApr 25, 2024via ghsa
commit
2 files changed · +19 15
  • core/logs/alils/request.go+2 2 modified
    @@ -13,7 +13,7 @@ func request(project *LogProject, method, uri string, headers map[string]string,
 
 	// The caller should provide 'x-sls-bodyrawsize' header
 	if _, ok := headers["x-sls-bodyrawsize"]; !ok {
-		err = fmt.Errorf("Can't find 'x-sls-bodyrawsize' header")
+		err = fmt.Errorf("can't find 'x-sls-bodyrawsize' header")
 		return
 	}
 
@@ -27,7 +27,7 @@ func request(project *LogProject, method, uri string, headers map[string]string,
 		headers["Content-MD5"] = bodyMD5
 
 		if _, ok := headers["Content-Type"]; !ok {
-			err = fmt.Errorf("Can't find 'Content-Type' header")
+			err = fmt.Errorf("can't find 'Content-Type' header")
 			return
 		}
 	}
  • core/logs/smtp.go+17 13 modified
    @@ -32,29 +32,33 @@ type SMTPWriter struct {
 	FromAddress        string   `json:"fromAddress"`
 	RecipientAddresses []string `json:"sendTos"`
 	Level              int      `json:"level"`
-	formatter          LogFormatter
-	Formatter          string `json:"formatter"`
+	// InsecureSkipVerify default value: true
+	InsecureSkipVerify bool `json:"insecureSkipVerify"`
+
+	formatter LogFormatter
+	Formatter string `json:"formatter"`
 }
 
 // NewSMTPWriter creates the smtp writer.
 func newSMTPWriter() Logger {
-	res := &SMTPWriter{Level: LevelTrace}
+	res := &SMTPWriter{Level: LevelTrace, InsecureSkipVerify: true}
 	res.formatter = res
 	return res
 }
 
 // Init smtp writer with json config.
 // config like:
 //
-//	{
-//		"username":"example@gmail.com",
-//		"password:"password",
-//		"host":"smtp.gmail.com:465",
-//		"subject":"email title",
-//		"fromAddress":"from@example.com",
-//		"sendTos":["email1","email2"],
-//		"level":LevelError
-//	}
+//		{
+//			"username":"example@gmail.com",
+//			"password:"password",
+//			"host":"smtp.gmail.com:465",
+//			"subject":"email title",
+//			"fromAddress":"from@example.com",
+//			"sendTos":["email1","email2"],
+//			"level":LevelError,
+//	     	"insecureSkipVerify": false
+//		}
 func (s *SMTPWriter) Init(config string) error {
 	res := json.Unmarshal([]byte(config), s)
 	if res == nil && len(s.Formatter) > 0 {
@@ -91,7 +95,7 @@ func (s *SMTPWriter) sendMail(hostAddressWithPort string, auth smtp.Auth, fromAd
 
 	host, _, _ := net.SplitHostPort(hostAddressWithPort)
 	tlsConn := &tls.Config{
-		InsecureSkipVerify: true,
+		InsecureSkipVerify: s.InsecureSkipVerify,
 		ServerName:         host,
 	}
 	if err = client.StartTLS(tlsConn); err != nil {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.