Lucene search

Veracode Vulnerability DatabaseVERACODE:44631

HistoryDec 12, 2023 - 5:34 a.m.

Same-Origin Policy Bypass

2023-12-1205:34:34

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

koa

cors

same-origin policy

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

17.8%

JSON

@koa/cors is vulnerable to Same-Origin Policy Bypass. The vulnerability exists in the index.js because the middleware operates in a way that if an allowed origin is not provided by default, it will return an Access-Control-Allow-Origin header with the value set to the origin from the request. This behavior disables a crucial elements of browsers, allowing an attacker to bypass the Same-Origin Policy.

References

github.com/koajs/cors/commit/f31dac99f5355c41e7d4dd3c4a80c5f154941a11

github.com/koajs/cors/security/advisories/GHSA-qxrj-hx23-xp82

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

17.8%

JSON

Related for VERACODE:44631