VDB
GO-2024-2955
GO-2024-2955
PUBLISHED
Gin-Gonic CORS middleware mishandles a wildcard at the end of an origin string. Examples: https://example.community/* is accepted by the origin string https://example.com/* and http://localhost.example.com/* is accepted by the origin string http://localhost/* .
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | gin-contrib/cors | 0, 0 |
Timeline
- Jul 2, 2024 CVE Published
- Jul 2, 2024 CVE Updated
References
- https://github.com/advisories/GHSA-869c-j7wc-8jqv advisory
- https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d patch
- https://github.com/gin-contrib/cors/pull/106 patch
- https://github.com/gin-contrib/cors/pull/57 patch
- https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0 url
- https://github.com/gin-contrib/cors/releases/tag/v1.6.0 url