Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.
Patches
Patched in v0.9.0.
Workarounds
None.
References
jub0bs Finder
Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns
https://foo.comandhttps://bar.com(in that order) would yield a middleware that would incorrectly allow untrusted originhttps://barfoo.com.Patches
Patched in v0.9.0.
Workarounds
None.
References