Vulnerability Report: GO-2022-0619

CVE-2022-1996, GHSA-r48q-9g5r-8q2h
Affects: github.com/emicklei/go-restful, github.com/emicklei/go-restful/v2, and 1 more
Published: Aug 15, 2022
Modified: May 20, 2024

CORS filters that use an AllowedDomains configuration parameter can match domains outside the specified set, permitting an attacker to avoid the CORS policy. The AllowedDomains configuration parameter is documented as a list of allowed origin domains, but values in this list are applied as regular expression matches. For example, an allowed domain of "example.com" will match the Origin header "example.com.malicious.domain".

Affected Packages

Path

Go Versions

Symbols
github.com/emicklei/go-restful

before v2.16.0+incompatible
- CrossOriginResourceSharing.Filter
github.com/emicklei/go-restful/v2

all versions, no known fixed
- CrossOriginResourceSharing.Filter
github.com/emicklei/go-restful/v3

from v3.0.0 before v3.8.0
- CrossOriginResourceSharing.Filter

Aliases

References

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL