Skip to content

Commit

Permalink
data/reports: update GO-2023-1792.yaml
Browse files Browse the repository at this point in the history
Aliases: CVE-2018-20744, GHSA-927h-x4qj-r242

Updates #1792

Change-Id: Ia06ce178426eca9eaf356b6d8123bc4824525b6b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/502637
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Maceo Thompson <maceothompson@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
  • Loading branch information
Maceo Thompson committed Jun 14, 2023
1 parent a27b0c6 commit c49232b
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 19 deletions.
23 changes: 16 additions & 7 deletions data/osv/GO-2023-1792.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,32 +7,37 @@
"CVE-2018-20744",
"GHSA-927h-x4qj-r242"
],
"summary": "Problem in github.com/gofiber/fiber/v2",
"details": "Fiber's CORS middleware actively bypasses the wildcard exception: if developers configure their CORS to allow credentials and specify the wildcard as an allowed origin, the resulting middleware unconditionally reflects the value of the request's Origin header in the Access-Control-Allow-Origin response header.",
"summary": "Insecure wildcard CORS policy in github.com/rs/cors",
"details": "The CORS handler actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.",
"affected": [
{
"package": {
"name": "github.com/gofiber/fiber/v2",
"name": "github.com/rs/cors",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
"introduced": "0"
},
{
"fixed": "2.43.0"
"fixed": "1.5.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gofiber/fiber/v2/middleware/cors",
"path": "github.com/rs/cors",
"symbols": [
"AllowAll",
"Cors.HandlerFunc",
"Cors.ServeHTTP",
"Cors.handlePreflight",
"Default",
"New"
]
}
Expand All @@ -43,7 +48,11 @@
"references": [
{
"type": "FIX",
"url": "https://github.com/gofiber/fiber/pull/2339"
"url": "https://github.com/rs/cors/pull/57"
},
{
"type": "REPORT",
"url": "https://github.com/rs/cors/issues/55"
}
],
"database_specific": {
Expand Down
28 changes: 16 additions & 12 deletions data/reports/GO-2023-1792.yaml
Original file line number Diff line number Diff line change
@@ -1,24 +1,28 @@
id: GO-2023-1792
modules:
- module: github.com/gofiber/fiber/v2
- module: github.com/rs/cors
versions:
- introduced: 2.0.0
fixed: 2.43.0
vulnerable_at: 2.42.0
- fixed: 1.5.0
vulnerable_at: 1.4.0
packages:
- package: github.com/gofiber/fiber/v2/middleware/cors
- package: github.com/rs/cors
symbols:
- New
summary: Problem in github.com/gofiber/fiber/v2
- Cors.handlePreflight
derived_symbols:
- AllowAll
- Cors.HandlerFunc
- Cors.ServeHTTP
- Default
summary: Insecure wildcard CORS policy in github.com/rs/cors
description: |
Fiber's CORS middleware actively bypasses the wildcard exception:
if developers configure their CORS to allow credentials and specify the
wildcard as an allowed origin, the resulting middleware unconditionally
reflects the value of the request's Origin header in the
Access-Control-Allow-Origin response header.
The CORS handler actively converts a wildcard CORS policy into reflecting an
arbitrary Origin header value, which is incompatible with the CORS security
design, and could lead to CORS misconfiguration security problems.
cves:
- CVE-2018-20744
ghsas:
- GHSA-927h-x4qj-r242
references:
- fix: https://github.com/gofiber/fiber/pull/2339
- fix: https://github.com/rs/cors/pull/57
- report: https://github.com/rs/cors/issues/55

0 comments on commit c49232b

Please sign in to comment.