Описание
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-api-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-openstack-populator-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-ova-provider-server-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-populator-controller-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-rhel8-operator | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-rhv-populator-rhel8 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-validation-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-virt-v2v-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandle ...
Gin mishandles a wildcard at the end of an origin string
EPSS
6.5 Medium
CVSS3