Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ODRoLTY1M3YtNHBxOc4AA7vR
Some CORS middleware allow untrusted origins
Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.
Patches
Patched in v0.9.0.
Workarounds
None.
Permalink: https://github.com/advisories/GHSA-v84h-653v-4pq9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ODRoLTY1M3YtNHBxOc4AA7vR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 15 days ago
Updated: 15 days ago
CVSS Score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-v84h-653v-4pq9
References:
- https://github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9
- https://github.com/jub0bs/fcors/commit/08d85c149a418a583315cee066d4a35cc817219d
- https://github.com/advisories/GHSA-v84h-653v-4pq9
Blast Radius: 0.0
Affected Packages
go:github.com/jub0bs/fcors
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 0.8.0
Fixed in: 0.9.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0
All unaffected versions: 0.9.0