Описание
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Отчет
The go-restful package is a transitive dependency which is being pulled with k8s.io/api and not directly being used anywhere in OpenShift Container Platform (OCP), OpenShift Container Storage, OpenShift Data Foundation, OpenShift Do and OpenShift Pipelines, hence these components are marked as 'Will not fix' or even "Not affected".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | helm | Affected | ||
| OpenShift Developer Tools and Services | odo | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines-client | Not affected | ||
| OpenShift Serverless | CLI | Affected | ||
| OpenShift Serverless | knative-eventing | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Not affected | ||
| OpenShift Service Mesh 2.1 | servicemesh | Not affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-prometheus | Not affected | ||
| Red Hat 3scale API Management Platform 2 | 3scale-rhel7-operator | Affected | ||
| Red Hat Ansible Automation Platform 1.2 | openshift-clients | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
Authorization Bypass Through User-Controlled Key in GitHub repository ...
EPSS
9.1 Critical
CVSS3