data/reports/GO-2024-2574.yaml - vulndb - Git at Google

 id: GO-2024-2574
 modules:
     - module: github.com/gofiber/fiber/v2
       versions:
         - fixed: 2.52.1
       vulnerable_at: 2.52.0
       packages:
         - package: github.com/gofiber/fiber/v2/middleware/cors
           symbols:
             - New
             - matchSubdomain
 summary: |-
     Insecure CORS Configuration allowing wildcard origin with credentials in
     github.com/gofiber/fiber/v2
 description: |-
     The CORS middleware allows for insecure configurations that could potentially
     expose the application to multiple CORS-related vulnerabilities. Specifically,
     it allows setting the Access-Control-Allow-Origin header to a wildcard ("*")
     while also having the Access-Control-Allow-Credentials set to true, which goes
     against recommended security best practices.
 cves:
     - CVE-2024-25124
 ghsas:
     - GHSA-fmg4-x8pw-hjhg
 references:
     - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg
     - fix: https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23
     - web: http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
     - web: https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials
     - web: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
     - web: https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
     - web: https://github.com/gofiber/fiber/releases/tag/v2.52.1
     - web: https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true
 source:
     id: GHSA-fmg4-x8pw-hjhg
     created: 2024-05-17T15:29:50.096863-04:00
 review_status: REVIEWED
	id: GO-2024-2574
	modules:
	- module: github.com/gofiber/fiber/v2
	versions:
	- fixed: 2.52.1
	vulnerable_at: 2.52.0
	packages:
	- package: github.com/gofiber/fiber/v2/middleware/cors
	symbols:
	- New
	- matchSubdomain
	summary: \|-
	Insecure CORS Configuration allowing wildcard origin with credentials in
	github.com/gofiber/fiber/v2
	description: \|-
	The CORS middleware allows for insecure configurations that could potentially
	expose the application to multiple CORS-related vulnerabilities. Specifically,
	it allows setting the Access-Control-Allow-Origin header to a wildcard ("*")
	while also having the Access-Control-Allow-Credentials set to true, which goes
	against recommended security best practices.
	cves:
	- CVE-2024-25124
	ghsas:
	- GHSA-fmg4-x8pw-hjhg
	references:
	- advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg
	- fix: https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23
	- web: http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
	- web: https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials
	- web: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
	- web: https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
	- web: https://github.com/gofiber/fiber/releases/tag/v2.52.1
	- web: https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true
	source:
	id: GHSA-fmg4-x8pw-hjhg
	created: 2024-05-17T15:29:50.096863-04:00
	review_status: REVIEWED