PT-2019-10198 · Olivier Poitrey · Go Cors Handler
Published
2019-01-28
·
Updated
2023-06-08
·
CVE-2018-20744
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Olivier Poitrey Go CORS handler versions 1.3.0 and earlier
Description:
The issue arises from the active conversion of a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design. This incompatibility could lead to CORS misconfiguration security problems.
Recommendations:
For versions 1.3.0 and earlier, consider disabling the CORS handler until a patch is available to prevent potential CORS misconfiguration security problems. Restrict access to the CORS policy configuration to minimize the risk of exploitation. Avoid using wildcard CORS policies in the affected handler until the issue is resolved.
Fix
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Go Cors Handler