Vulnerability Description
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gorillatoolkit | Handlers | < 1.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76PatchThird Party Advisory
- https://github.com/gorilla/handlers/pull/116PatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0020Third Party Advisory
- https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76PatchThird Party Advisory
- https://github.com/gorilla/handlers/pull/116PatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0020Third Party Advisory
FAQ
What is CVE-2017-20146?
CVE-2017-20146 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the...
How severe is CVE-2017-20146?
CVE-2017-20146 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-20146?
Check the references section above for vendor advisories and patch information. Affected products include: Gorillatoolkit Handlers.