GO-2022-0619

Source

https://pkg.go.dev/vuln/GO-2022-0619

Import Source

https://vuln.go.dev/ID/GO-2022-0619.json

Aliases

Published

2022-08-15T18:05:29Z

Modified

2023-11-08T04:07:52.940602Z

Details

CORS filters that use an AllowedDomains configuration parameter can match domains outside the specified set, permitting an attacker to avoid the CORS policy.

The AllowedDomains configuration parameter is documented as a list of allowed origin domains, but values in this list are applied as regular expression matches. For example, an allowed domain of "example.com" will match the Origin header "example.com.malicious.domain".

References

Affected packages

Go / github.com/emicklei/go-restful

Package

Name: github.com/emicklei/go-restful

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.16.0+incompatible

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}

Go / github.com/emicklei/go-restful/v2

Package

Name: github.com/emicklei/go-restful/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.7.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful/v2",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}

Go / github.com/emicklei/go-restful/v3

Package

Name: github.com/emicklei/go-restful/v3

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.8.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful/v3",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}