parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
[
{
"cpes": [
"cpe:2.3:a:gin-contrib:cors:*:*:*:*:*:*:*:*"
],
"vendor": "gin-contrib",
"product": "cors",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "1.6.0",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]