GO-2022-0619

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0619

Import Source

https://vuln.go.dev/ID/GO-2022-0619.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0619

Aliases

Published

2022-08-15T18:05:29Z

Modified

2024-05-20T16:03:47Z

Summary

Authorization bypass in github.com/emicklei/go-restful, go-restful/v2 and go-restful/v3

Details

CORS filters that use an AllowedDomains configuration parameter can match domains outside the specified set, permitting an attacker to avoid the CORS policy.

The AllowedDomains configuration parameter is documented as a list of allowed origin domains, but values in this list are applied as regular expression matches. For example, an allowed domain of "example.com" will match the Origin header "example.com.malicious.domain".

References

Affected packages

Go / github.com/emicklei/go-restful

Package

Name: github.com/emicklei/go-restful; View open source insights on deps.dev
Purl: pkg:golang/github.com/emicklei/go-restful

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.16.0+incompatible

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}

Go / github.com/emicklei/go-restful/v2

Package

Name: github.com/emicklei/go-restful/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/emicklei/go-restful/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.7.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful/v2",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}

Go / github.com/emicklei/go-restful/v3

Package

Name: github.com/emicklei/go-restful/v3; View open source insights on deps.dev
Purl: pkg:golang/github.com/emicklei/go-restful/v3

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.8.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/emicklei/go-restful/v3",
            "symbols": [
                "CrossOriginResourceSharing.Filter",
                "CrossOriginResourceSharing.isOriginAllowed"
            ]
        }
    ]
}