x/vulndb: origin-validation error in github.com/jub0bs/fcors

[jub0bs]

Acknowledgement

• The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.

Affected Modules, Packages, Versions and Symbols

Module: github.com/jub0bs/fcors
Package: github.com/jub0bs/fcors
Versions:
  - Introduced: 0.8.0
  - Fixed: 0.9.0
Symbols:
  - AllowAccess
  - AllowAccessWithCredentials
  - FromOrigins
  - Middleware

CVE/GHSA ID

GHSA-v84h-653v-4pq9

Fix Commit or Pull Request

jub0bs/fcors@b5dcb88

References

• https://cwe.mitre.org/data/definitions/346.html

[gopherbot]

Change https://go.dev/cl/586140 mentions this issue: data/reports: add 2 reports