data/reports/GO-2022-0619.yaml - vulndb - Git at Google

 modules:
   - module: github.com/emicklei/go-restful
     versions:
       - fixed: 2.16.0+incompatible
     vulnerable_at: 2.15.0+incompatible
     packages:
       - package: github.com/emicklei/go-restful
         symbols:
           - CrossOriginResourceSharing.isOriginAllowed
         derived_symbols:
           - CrossOriginResourceSharing.Filter
   - module: github.com/emicklei/go-restful/v2
     versions:
       - introduced: 2.7.1
     vulnerable_at: 2.7.1
     packages:
       - package: github.com/emicklei/go-restful/v2
         symbols:
           - CrossOriginResourceSharing.isOriginAllowed
         derived_symbols:
           - CrossOriginResourceSharing.Filter
   - module: github.com/emicklei/go-restful/v3
     versions:
       - introduced: 3.0.0
         fixed: 3.8.0
     vulnerable_at: 3.7.4
     packages:
       - package: github.com/emicklei/go-restful/v3
         symbols:
           - CrossOriginResourceSharing.isOriginAllowed
         derived_symbols:
           - CrossOriginResourceSharing.Filter
 description: |
     CORS filters that use an AllowedDomains configuration parameter
     can match domains outside the specified set, permitting an attacker
     to avoid the CORS policy.

     The AllowedDomains configuration parameter is documented as a list of
     allowed origin domains, but values in this list are applied as regular
     expression matches. For example, an allowed domain of "example.com" will
     match the Origin header "example.com.malicious.domain".
 published: 2022-08-15T18:05:29Z
 cves:
   - CVE-2022-1996
 ghsas:
   - GHSA-r48q-9g5r-8q2h
 references:
   - fix: https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1
   - web: https://github.com/emicklei/go-restful/issues/489
	modules:
	- module: github.com/emicklei/go-restful
	versions:
	- fixed: 2.16.0+incompatible
	vulnerable_at: 2.15.0+incompatible
	packages:
	- package: github.com/emicklei/go-restful
	symbols:
	- CrossOriginResourceSharing.isOriginAllowed
	derived_symbols:
	- CrossOriginResourceSharing.Filter
	- module: github.com/emicklei/go-restful/v2
	versions:
	- introduced: 2.7.1
	vulnerable_at: 2.7.1
	packages:
	- package: github.com/emicklei/go-restful/v2
	symbols:
	- CrossOriginResourceSharing.isOriginAllowed
	derived_symbols:
	- CrossOriginResourceSharing.Filter
	- module: github.com/emicklei/go-restful/v3
	versions:
	- introduced: 3.0.0
	fixed: 3.8.0
	vulnerable_at: 3.7.4
	packages:
	- package: github.com/emicklei/go-restful/v3
	symbols:
	- CrossOriginResourceSharing.isOriginAllowed
	derived_symbols:
	- CrossOriginResourceSharing.Filter
	description: \|
	CORS filters that use an AllowedDomains configuration parameter
	can match domains outside the specified set, permitting an attacker
	to avoid the CORS policy.

	The AllowedDomains configuration parameter is documented as a list of
	allowed origin domains, but values in this list are applied as regular
	expression matches. For example, an allowed domain of "example.com" will
	match the Origin header "example.com.malicious.domain".
	published: 2022-08-15T18:05:29Z
	cves:
	- CVE-2022-1996
	ghsas:
	- GHSA-r48q-9g5r-8q2h
	references:
	- fix: https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1
	- web: https://github.com/emicklei/go-restful/issues/489