blob: 3e4982b46bc69d23273713f368de4298fccf7b03 [file] [log] [blame]
id: GO-2024-2604
modules:
- module: github.com/zeromicro/go-zero
versions:
- fixed: 1.4.4
vulnerable_at: 1.4.3
packages:
- package: github.com/zeromicro/go-zero/rest/internal/cors
symbols:
- isOriginAllowed
summary: CORS Filter bypass in github.com/zeromicro/go-zero
description: |-
The CORS Filter feature in go-zero allows users to specify an array of domains
allowed in the CORS policy. However, the isOriginAllowed function uses
strings.HasSuffix to check the origin, which can lead to a bypass via a domain
like "evil-victim.com". This vulnerability is capable of breaking CORS policy
and thus allowing any page to make requests and retrieve data on behalf of other
users.
cves:
- CVE-2024-27302
ghsas:
- GHSA-fgxv-gw55-r5fq
credits:
- cokeBeer
references:
- advisory: https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq
- fix: https://github.com/zeromicro/go-zero/commit/d9d79e930dff6218a873f4f02115df61c38b15db
review_status: REVIEWED