GHSA-jcr6-mmjj-pchw

Suggest an improvement
Source
https://github.com/advisories/GHSA-jcr6-mmjj-pchw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-jcr6-mmjj-pchw/GHSA-jcr6-mmjj-pchw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jcr6-mmjj-pchw
Aliases
Published
2022-12-28T00:30:23Z
Modified
2023-11-08T03:59:17.264487Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy
Details

Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T19:18:39Z",
    "nvd_published_at": "2022-12-27T22:15:00Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-346"
    ]
}
References

Affected packages

Go / github.com/gorilla/handlers

Package

Name
github.com/gorilla/handlers
View open source insights on deps.dev
Purl
pkg:golang/github.com/gorilla/handlers

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.0