VDB
CVE-2017-11173
CVE-2017-11173
PUBLISHED
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.
EPSS 1.75% · 82.9th percentile
Risk Scores
EPSS Score
1.75%
82.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | ruby-rack-cors | 0, 0.4.0-1 |
Exploit Intelligence
Timeline
- Jul 13, 2017 CVE Published
- Mar 3, 2020 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-11173 third-party-advisory
- http://seclists.org/fulldisclosure/2017/Jul/22 third-party-advisory
- https://github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6 third-party-advisory
- https://packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.html third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-11173 third-party-advisory