Skip to main content

Inclusion of Functionality from Untrusted Control Sphere

CVE-2019-25211

Severity High
Score 9.4/10

Summary

The "parseWildcardRules" in Gin-Gonic CORS middleware versions prior to 1.6.0 mishandles a wildcard at the end of an origin string. For example, "https://example.community/" is allowed when the intention is that only "https://example.com/" should be allowed, and "http://localhost.example.com/" is allowed when the intention is that only "http://localhost/" should be allowed.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • LOW

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Advisory Timeline

  • Published