blob: 660f802bc3e053ffcab537ada81ec31cbadc48d2 [file] [log] [blame]
id: GO-2022-0619
modules:
- module: github.com/emicklei/go-restful
versions:
- fixed: 2.16.0+incompatible
vulnerable_at: 2.15.0+incompatible
packages:
- package: github.com/emicklei/go-restful
symbols:
- CrossOriginResourceSharing.isOriginAllowed
derived_symbols:
- CrossOriginResourceSharing.Filter
- module: github.com/emicklei/go-restful/v2
versions:
- introduced: 2.7.1
vulnerable_at: 2.7.1
packages:
- package: github.com/emicklei/go-restful/v2
symbols:
- CrossOriginResourceSharing.isOriginAllowed
derived_symbols:
- CrossOriginResourceSharing.Filter
- module: github.com/emicklei/go-restful/v3
versions:
- introduced: 3.0.0
- fixed: 3.8.0
vulnerable_at: 3.7.4
packages:
- package: github.com/emicklei/go-restful/v3
symbols:
- CrossOriginResourceSharing.isOriginAllowed
derived_symbols:
- CrossOriginResourceSharing.Filter
summary: |-
Authorization bypass in github.com/emicklei/go-restful, go-restful/v2 and
go-restful/v3
description: |-
CORS filters that use an AllowedDomains configuration parameter can match
domains outside the specified set, permitting an attacker to avoid the CORS
policy.
The AllowedDomains configuration parameter is documented as a list of allowed
origin domains, but values in this list are applied as regular expression
matches. For example, an allowed domain of "example.com" will match the Origin
header "example.com.malicious.domain".
published: 2022-08-15T18:05:29Z
cves:
- CVE-2022-1996
ghsas:
- GHSA-r48q-9g5r-8q2h
references:
- fix: https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1
- web: https://github.com/emicklei/go-restful/issues/489
review_status: REVIEWED