| id: GO-2022-0619 |
| modules: |
| - module: github.com/emicklei/go-restful |
| versions: |
| - fixed: 2.16.0+incompatible |
| vulnerable_at: 2.15.0+incompatible |
| packages: |
| - package: github.com/emicklei/go-restful |
| symbols: |
| - CrossOriginResourceSharing.isOriginAllowed |
| derived_symbols: |
| - CrossOriginResourceSharing.Filter |
| - module: github.com/emicklei/go-restful/v2 |
| versions: |
| - introduced: 2.7.1 |
| vulnerable_at: 2.7.1 |
| packages: |
| - package: github.com/emicklei/go-restful/v2 |
| symbols: |
| - CrossOriginResourceSharing.isOriginAllowed |
| derived_symbols: |
| - CrossOriginResourceSharing.Filter |
| - module: github.com/emicklei/go-restful/v3 |
| versions: |
| - introduced: 3.0.0 |
| - fixed: 3.8.0 |
| vulnerable_at: 3.7.4 |
| packages: |
| - package: github.com/emicklei/go-restful/v3 |
| symbols: |
| - CrossOriginResourceSharing.isOriginAllowed |
| derived_symbols: |
| - CrossOriginResourceSharing.Filter |
| summary: |- |
| Authorization bypass in github.com/emicklei/go-restful, go-restful/v2 and |
| go-restful/v3 |
| description: |- |
| CORS filters that use an AllowedDomains configuration parameter can match |
| domains outside the specified set, permitting an attacker to avoid the CORS |
| policy. |
| |
| The AllowedDomains configuration parameter is documented as a list of allowed |
| origin domains, but values in this list are applied as regular expression |
| matches. For example, an allowed domain of "example.com" will match the Origin |
| header "example.com.malicious.domain". |
| published: 2022-08-15T18:05:29Z |
| cves: |
| - CVE-2022-1996 |
| ghsas: |
| - GHSA-r48q-9g5r-8q2h |
| references: |
| - fix: https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1 |
| - web: https://github.com/emicklei/go-restful/issues/489 |
| review_status: REVIEWED |