Vulnerability Details : CVE-2019-25211
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
Products affected by CVE-2019-25211
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2019-25211
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-25211
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-08-01 |
CWE ids for CVE-2019-25211
-
The product does not properly verify that the source of data or communication is valid.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2019-25211
-
https://github.com/gin-contrib/cors/pull/57
[Fix] parseWildcardRules removes the last non-asterisk character wrongly by maxshine · Pull Request #57 · gin-contrib/cors · GitHub
-
https://github.com/gin-contrib/cors/releases/tag/v1.6.0
Release v1.6.0 · gin-contrib/cors · GitHub
-
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
fixe(domain): wildcard parse bug (#106) · gin-contrib/cors@27b723a · GitHub
-
https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
Comparing v1.5.0...v1.6.0 · gin-contrib/cors · GitHub
-
https://github.com/gin-contrib/cors/pull/106
fixe(domain): wildcard parse bug by Hvitgar · Pull Request #106 · gin-contrib/cors · GitHub
Jump to