Lucene search

GoogleOSV:CVE-2024-27302

HistoryMar 06, 2024 - 7:15 p.m.

CVE-2024-27302

2024-03-0619:15:08

Google

osv.dev

go-zero

cors filter

bypass

malicious domain

security vulnerability

fix

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

go-zero is a web and rpc framework. Go-zero allows user to specify a CORS Filter with a configurable allows param - which is an array of domains allowed in CORS policy. However, the isOriginAllowed uses strings.HasSuffix to check the origin, which leads to bypass via a malicious domain. This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and/or retrieve data on behalf of other users. Version 1.4.4 fixes this issue.

CPENameOperatorVersion
go-zeroeq1.0.18
go-zeroeq1.0.28
go-zeroeq1.2.3
go-zeroeqtools/goctl/v1.4.1
go-zeroeq1.0.21
go-zeroeq1.0.7
go-zeroeq1.1.5
go-zeroeq1.1.7
go-zeroeq1.4.0
go-zeroeq1.1.8

Name	Operator	Version
go-zero	eq	1.0.18
go-zero	eq	1.0.28
go-zero	eq	1.2.3
go-zero	eq	tools/goctl/v1.4.1
go-zero	eq	1.0.21
go-zero	eq	1.0.7
go-zero	eq	1.1.5
go-zero	eq	1.1.7
go-zero	eq	1.4.0
go-zero	eq	1.1.8

Rows per page:

1-10 of 841

References

github.com/zeromicro/go-zero/commit/d9d79e930dff6218a873f4f02115df61c38b15db

github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for OSV:CVE-2024-27302