GitHub Advisory DatabaseGHSA-927H-X4QJ-R242github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
48.7%
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/rs/cors | lt | 1.5.0 | |
| github.com/gofiber/fiber/v2 | lt | 2.43.0 |
References
github.com/advisories/GHSA-927h-x4qj-r242
github.com/gofiber/fiber/issues/2338
github.com/gofiber/fiber/pull/2339
github.com/rs/cors/issues/55
github.com/rs/cors/pull/57
nvd.nist.gov/vuln/detail/CVE-2018-20744
web.archive.org/web/20200227091122/www.securityfocus.com/bid/106834
www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdf
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
48.7%