GO-2022-0619

Source
https://pkg.go.dev/vuln/GO-2022-0619
Import Source
https://vuln.go.dev/ID/GO-2022-0619.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0619
Aliases
Published
2022-08-15T18:05:29Z
Modified
2024-05-20T16:03:47Z
Summary
Authorization bypass in github.com/emicklei/go-restful, go-restful/v2 and go-restful/v3
Details

CORS filters that use an AllowedDomains configuration parameter can match domains outside the specified set, permitting an attacker to avoid the CORS policy.

The AllowedDomains configuration parameter is documented as a list of allowed origin domains, but values in this list are applied as regular expression matches. For example, an allowed domain of "example.com" will match the Origin header "example.com.malicious.domain".

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0619"
}
References

Affected packages

Go / github.com/emicklei/go-restful

Package

Name
github.com/emicklei/go-restful
View open source insights on deps.dev
Purl
pkg:golang/github.com/emicklei/go-restful

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.0+incompatible

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}

Go / github.com/emicklei/go-restful/v2

Package

Name
github.com/emicklei/go-restful/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/emicklei/go-restful/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.7.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful/v2",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}

Go / github.com/emicklei/go-restful/v3

Package

Name
github.com/emicklei/go-restful/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/emicklei/go-restful/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.8.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful/v3",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}