Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vhxv-fg4m-p2w8: Some CORS middleware allow untrusted origins

Impact

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.

For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.

Patches

Patched in v0.1.3.

Workarounds

None.

ghsa
#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-vhxv-fg4m-p2w8

Some CORS middleware allow untrusted origins

Critical severity GitHub Reviewed Published May 2, 2024 in jub0bs/cors • Updated May 3, 2024

Package

gomod github.com/jub0bs/cors (Go)

Affected versions

< 0.1.3

Impact

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.

For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.

Patches

Patched in v0.1.3.

Workarounds

None.

References

  • GHSA-vhxv-fg4m-p2w8
  • jub0bs/cors@5bc0648

Published to the GitHub Advisory Database

May 3, 2024

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation