| id: GO-2024-2813 |
| modules: |
| - module: github.com/jub0bs/cors |
| versions: |
| - fixed: 0.1.3 |
| vulnerable_at: 0.1.2 |
| packages: |
| - package: github.com/jub0bs/cors/internal/origins/radix |
| symbols: |
| - Tree.Contains |
| - Tree.Insert |
| summary: Some CORS middleware allow untrusted origins in github.com/jub0bs/cors |
| description: |- |
| Some CORS middleware (more specifically those created by specifying two or more |
| origin patterns whose hosts share a proper suffix) incorrectly allow some |
| untrusted origins, thereby opening the door to cross-origin attacks from the |
| untrusted origins in question. |
| |
| For example, specifying origin patterns "https://foo.com" and "https://bar.com" |
| (in that order) would yield a middleware that would incorrectly allow untrusted |
| origin "https://barfoo.com". |
| ghsas: |
| - GHSA-vhxv-fg4m-p2w8 |
| related: |
| - GHSA-v84h-653v-4pq9 |
| references: |
| - advisory: https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8 |
| - fix: https://github.com/jub0bs/cors/commit/63900fa1776237095fa0ed47ff85791e21f3a7d7 |
| source: |
| id: GHSA-vhxv-fg4m-p2w8 |
| created: 2024-05-20T16:46:53.79904-04:00 |
| review_status: REVIEWED |
