Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12aHh2LWZnNG0tcDJ3OM4AA7vQ
Some CORS middleware allow untrusted origins
Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.
Patches
Patched in v0.1.3.
Workarounds
None.
Permalink: https://github.com/advisories/GHSA-vhxv-fg4m-p2w8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aHh2LWZnNG0tcDJ3OM4AA7vQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 6 months ago
CVSS Score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-vhxv-fg4m-p2w8
References:
- https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8
- https://github.com/jub0bs/cors/commit/5bc0648a32db2d600179a50866f648f4d7090363
- https://github.com/jub0bs/cors/commit/63900fa1776237095fa0ed47ff85791e21f3a7d7
- https://github.com/advisories/GHSA-vhxv-fg4m-p2w8
Blast Radius: 1.0
Affected Packages
go:github.com/jub0bs/cors
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 0.1.3
Fixed in: 0.1.3
All affected versions: 0.1.0, 0.1.1, 0.1.2
All unaffected versions: 0.1.3, 0.2.0, 0.3.0, 0.3.1