Inclusion of Functionality from Untrusted Control Sphere
CVE-2019-25211
Summary
The "parseWildcardRules" in Gin-Gonic CORS middleware versions prior to 1.6.0 mishandles a wildcard at the end of an origin string. For example, "https://example.community/" is allowed when the intention is that only "https://example.com/" should be allowed, and "http://localhost.example.com/" is allowed when the intention is that only "http://localhost/" should be allowed.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- LOW
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
References
Advisory Timeline
- Published