x/vulndb: potential Go vuln in github.com/rs/cors

[KenJPH]

Description

The CORS handler actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

Affected Modules, Packages, Versions and Symbols

Module: github.com/rs/cors
Package: github.com/rs/cors
Versions:
  - Introduced: 1.1.0
  - Fixed: 1.5.0
Symbols:
  - all symbols

Does this vulnerability already have an associated CVE ID?

Yes

CVE ID

CVE-2018-20744

Credit

No response

CWE ID

CWE-346

Pull Request

rs/cors#57

Commit

No response

References

• https://github.com/rs/cors#allow--with-credentials-security-protection
• CORS security: reflecting any origin header value when configured to * is dangerous rs/cors#55
• Fix * behavior to be standards compliant. rs/cors#57

Additional information

The CVE states up to version 1.3.0 but 1.4.0 is also vulnerable as it doesn't contain the fix.

[maceonthompson]

Thanks for the report! This will be designated as GO-1792-2023 in the Go Vulnerability Database, and will appear in the database by EOD Wednesday next week.

[gopherbot]

Change https://go.dev/cl/500075 mentions this issue: data/reports: add GO-2023-1792.yaml

[KenJPH]

Change https://go.dev/cl/500075 mentions this issue: data/reports: add GO-2023-1792.yaml

Why does this change reference github.com/gofiber/fiber/v2 but not github.com/rs/cors?

[gopherbot]

Change https://go.dev/cl/502637 mentions this issue: data/reports: update GO-2023-1792.yaml

[maceonthompson]

@KenJPH that was an error on our end when creating the report, thanks for catching it!