vulndb icon indicating copy to clipboard operation
vulndb copied to clipboard

Published 20 hours ago verified publisher icon golang

x/vulndb: origin-validation error in github.com/jub0bs/fcors

Open jub0bs opened this issue 2 months ago • 0 comments

Acknowledgement

  • [X] The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.

Affected Modules, Packages, Versions and Symbols

Module: github.com/jub0bs/fcors
Package: github.com/jub0bs/fcors
Versions:
  - Introduced: 0.8.0
  - Fixed: 0.9.0
Symbols:
  - AllowAccess
  - AllowAccessWithCredentials
  - FromOrigins
  - Middleware

CVE/GHSA ID

GHSA-v84h-653v-4pq9

Fix Commit or Pull Request

https://github.com/jub0bs/fcors/commit/b5dcb889a49def37d7d9c25deb7135f4eb45625e

References

  • https://cwe.mitre.org/data/definitions/346.html

jub0bs avatar May 02 '24 05:05 jub0bs