blob: be80ac5d6ad184307661d01ffe940ac8952a28ef [file] [log] [blame]
id: GO-2024-2812
modules:
- module: github.com/jub0bs/fcors
versions:
- fixed: 0.9.0
vulnerable_at: 0.8.0
packages:
- package: github.com/jub0bs/fcors/internal/radix
symbols:
- splitRight
- Tree.Insert
- node.add
- lengthOfCommonSuffix
- lastByteIn
- Tree.Contains
summary: Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors
description: |-
Some CORS middleware (more specifically those created by specifying two or more
origin patterns whose hosts share a proper suffix) incorrectly allow some
untrusted origins, thereby opening the door to cross-origin attacks from the
untrusted origins in question.
For example, specifying origin patterns "https://foo.com" and "https://bar.com"
(in that order) would yield a middleware that would incorrectly allow untrusted
origin "https://barfoo.com".
ghsas:
- GHSA-v84h-653v-4pq9
related:
- GHSA-vhxv-fg4m-p2w8
references:
- advisory: https://github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9
- fix: https://github.com/jub0bs/fcors/commit/b5dcb889a49def37d7d9c25deb7135f4eb45625e
source:
id: GHSA-v84h-653v-4pq9
created: 2024-05-20T16:46:53.091159-04:00
review_status: REVIEWED