CVE-2017-11173

Name of the Vulnerable Software and Affected Versions rack-cors versions prior to 0.4.1

Description The issue allows a malicious third-party site to perform CORS requests due to a missing anchor in the generated regex. This could lead to unintended domains being allowed if the configuration is set to trust specific domain names. For instance, if the configuration is intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.

Recommendations For versions prior to 0.4.1, update to version 0.4.1 or later to resolve the issue.