Описание
github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-20744
- https://github.com/gofiber/fiber/issues/2338
- https://github.com/rs/cors/issues/55
- https://github.com/gofiber/fiber/pull/2339
- https://github.com/rs/cors/pull/57
- https://web.archive.org/web/20200227091122/http://www.securityfocus.com/bid/106834
- https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdf
Пакеты
Наименование
github.com/gofiber/fiber/v2
go
Затронутые версииВерсия исправления
>= 2.0.0, < 2.43.0
2.43.0
Наименование
github.com/rs/cors
go
Затронутые версииВерсия исправления
< 1.5.0
1.5.0
Связанные уязвимости
CVSS3: 5.9
nvd
около 7 лет назад
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.