GHSA-2j9c-9vmv-7m39
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2j9c-9vmv-7m39
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-2j9c-9vmv-7m39/GHSA-2j9c-9vmv-7m39.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2j9c-9vmv-7m39
- Aliases
- Published
- 2018-07-31T18:18:39Z
- Modified
- 2024-12-03T06:02:08.526584Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Missing Regex anchor in Rack-Cors allows malicious third party site to perform CORS request
- Details
-
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted
example.comdomain name and not the maliciousexample.netdomain name, thenexample.com.example.net(as well asexample.com-example.net) would be inadvertently allowed. - Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:52:24Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-11173
- https://github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6
- https://github.com/cyu/rack-cors
- https://packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.html
- http://seclists.org/fulldisclosure/2017/Jul/22
- http://www.debian.org/security/2017/dsa-3931
Affected packages
RubyGems / rack-cors
Package
- Name
- rack-cors
- Purl
- pkg:gem/rack-cors