CVE-2018-20744
published 2019-01-28CVE-2018-20744: The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is…
PriorityP428medium5.9CVSS 3.0
AVNACHPRNUINSUCNIHAN
EPSS
0.72%
49.2th percentile
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gofiber_fiber_v2 | >= 2.0.0 < 2.43.0 | 2.43.0 |
| github.com | rs_cors | >= 0 < 1.5.0 | 1.5.0 |
| go_cors_project | go_cors | <= 1.3.0 | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Insecure wildcard CORS policy in github.com/rs/cors
osv·2023-06-08
CVE-2018-20744 Insecure wildcard CORS policy in github.com/rs/cors
Insecure wildcard CORS policy in github.com/rs/cors
The CORS handler actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
GHSA
github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
ghsa·2022-05-14
CVE-2018-20744 [MEDIUM] CWE-346 github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
OSV
github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
osv·2022-05-14
CVE-2018-20744 [MEDIUM] github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/106834https://github.com/rs/cors/issues/55https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdfhttp://www.securityfocus.com/bid/106834https://github.com/rs/cors/issues/55https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdf
2019-01-28
Published