blob: eb31e0b56566d7fb90f3e3cee5bbd238e98c9154 [file] [log] [blame]
id: GO-2022-0619
modules:
- module: github.com/emicklei/go-restful
versions:
- fixed: 2.16.0+incompatible
vulnerable_at: 2.15.0+incompatible
packages:
- package: github.com/emicklei/go-restful
symbols:
- CrossOriginResourceSharing.isOriginAllowed
derived_symbols:
- CrossOriginResourceSharing.Filter
- module: github.com/emicklei/go-restful/v2
versions:
- introduced: 2.7.1
vulnerable_at: 2.7.1
packages:
- package: github.com/emicklei/go-restful/v2
symbols:
- CrossOriginResourceSharing.isOriginAllowed
derived_symbols:
- CrossOriginResourceSharing.Filter
- module: github.com/emicklei/go-restful/v3
versions:
- introduced: 3.0.0
fixed: 3.8.0
vulnerable_at: 3.7.4
packages:
- package: github.com/emicklei/go-restful/v3
symbols:
- CrossOriginResourceSharing.isOriginAllowed
derived_symbols:
- CrossOriginResourceSharing.Filter
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
CORS filters that use an AllowedDomains configuration parameter
can match domains outside the specified set, permitting an attacker
to avoid the CORS policy.
The AllowedDomains configuration parameter is documented as a list of
allowed origin domains, but values in this list are applied as regular
expression matches. For example, an allowed domain of "example.com" will
match the Origin header "example.com.malicious.domain".
published: 2022-08-15T18:05:29Z
cves:
- CVE-2022-1996
ghsas:
- GHSA-r48q-9g5r-8q2h
references:
- fix: https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1
- web: https://github.com/emicklei/go-restful/issues/489