| id: GO-2024-2812 |
| modules: |
| - module: github.com/jub0bs/fcors |
| versions: |
| - fixed: 0.9.0 |
| vulnerable_at: 0.8.0 |
| packages: |
| - package: github.com/jub0bs/fcors/internal/radix |
| symbols: |
| - splitRight |
| - Tree.Insert |
| - node.add |
| - lengthOfCommonSuffix |
| - lastByteIn |
| - Tree.Contains |
| summary: Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors |
| description: |- |
| Some CORS middleware (more specifically those created by specifying two or more |
| origin patterns whose hosts share a proper suffix) incorrectly allow some |
| untrusted origins, thereby opening the door to cross-origin attacks from the |
| untrusted origins in question. |
| |
| For example, specifying origin patterns "https://foo.com" and "https://bar.com" |
| (in that order) would yield a middleware that would incorrectly allow untrusted |
| origin "https://barfoo.com". |
| ghsas: |
| - GHSA-v84h-653v-4pq9 |
| related: |
| - GHSA-vhxv-fg4m-p2w8 |
| references: |
| - advisory: https://github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9 |
| - fix: https://github.com/jub0bs/fcors/commit/b5dcb889a49def37d7d9c25deb7135f4eb45625e |
| source: |
| id: GHSA-v84h-653v-4pq9 |
| created: 2024-05-20T16:46:53.091159-04:00 |
| review_status: REVIEWED |
