Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/rs/cors #1792

Closed
KenJPH opened this issue May 25, 2023 · 5 comments
Closed

x/vulndb: potential Go vuln in github.com/rs/cors #1792

KenJPH opened this issue May 25, 2023 · 5 comments
Assignees
@maceonthompson
Labels
Direct External Report

Comments

@KenJPH
Copy link

KenJPH commented May 25, 2023

Description

The CORS handler actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

Affected Modules, Packages, Versions and Symbols

Module: github.com/rs/cors
Package: github.com/rs/cors
Versions:
  - Introduced: 1.1.0
  - Fixed: 1.5.0
Symbols:
  - all symbols

Does this vulnerability already have an associated CVE ID?

Yes

CVE ID

CVE-2018-20744

Credit

No response

CWE ID

CWE-346

Pull Request

rs/cors#57

Commit

No response

References

Additional information

The CVE states up to version 1.3.0 but 1.4.0 is also vulnerable as it doesn't contain the fix.
@maceonthompson
Copy link

Thanks for the report! This will be designated as GO-1792-2023 in the Go Vulnerability Database, and will appear in the database by EOD Wednesday next week.

@maceonthompson maceonthompson self-assigned this May 26, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500075 mentions this issue: data/reports: add GO-2023-1792.yaml

@KenJPH
Copy link
Author

KenJPH commented Jun 12, 2023

Change https://go.dev/cl/500075 mentions this issue: data/reports: add GO-2023-1792.yaml

Why does this change reference github.com/gofiber/fiber/v2 but not github.com/rs/cors?

@tatianab tatianab reopened this Jun 13, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/502637 mentions this issue: data/reports: update GO-2023-1792.yaml

gopherbot pushed a commit that referenced this issue Jun 14, 2023
data/reports: update GO-2023-1792.yaml
c49232b 
Aliases: CVE-2018-20744, GHSA-927h-x4qj-r242

Updates #1792

Change-Id: Ia06ce178426eca9eaf356b6d8123bc4824525b6b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/502637
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
@maceonthompson
Copy link

@KenJPH that was an error on our end when creating the report, thanks for catching it!

@GoVulnBot GoVulnBot mentioned this issue Jul 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
Direct External Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tatianab @KenJPH @gopherbot @maceonthompson