PT-2022-3324 · Unknown+3 · Go-Restful+3
Published
2022-06-06
·
Updated
2026-01-30
·
CVE-2022-1996
CVSS v2.0
9.4
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
go-restful versions prior to v3.8.0
Description
The issue is related to an authorization bypass through a user-controlled key. This could allow a remote attacker to elevate their privileges. The vulnerability is also related to CORS filters that use an AllowedDomains configuration parameter, which can match domains outside the specified set, permitting an attacker to avoid the CORS policy. The AllowedDomains configuration parameter is applied as regular expression matches, which can lead to unintended domain matches.
Recommendations
For go-restful versions prior to v3.8.0, update to version v3.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the
AllowedDomains configuration parameter to minimize the risk of exploitation. Avoid using the AllowedDomains parameter with values that can be matched as regular expressions to unintended domains until the issue is resolved.Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Astra Linux
Debian
Suse
Go-Restful