Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qY3I2LW1tamotcGNod84AAwoZ
gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
Permalink: https://github.com/advisories/GHSA-jcr6-mmjj-pchwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qY3I2LW1tamotcGNod84AAwoZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jcr6-mmjj-pchw, CVE-2017-20146
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-20146
- https://github.com/gorilla/handlers/pull/116
- https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
- https://pkg.go.dev/vuln/GO-2020-0020
- https://github.com/advisories/GHSA-jcr6-mmjj-pchw
Blast Radius: 44.0
Affected Packages
go:github.com/gorilla/handlers
Dependent packages: 11,537Dependent repositories: 30,713
Downloads:
Affected Version Ranges: < 1.3.0
Fixed in: 1.3.0
All affected versions: 1.2.1
All unaffected versions: 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2