Vulnerability Description
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Go Cors Project | Go Cors | <= 1.3.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106834Third Party Advisory
- https://github.com/rs/cors/issues/55Issue TrackingThird Party Advisory
- https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdfThird Party Advisory
- http://www.securityfocus.com/bid/106834Third Party Advisory
- https://github.com/rs/cors/issues/55Issue TrackingThird Party Advisory
- https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdfThird Party Advisory
FAQ
What is CVE-2018-20744?
CVE-2018-20744 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and co...
How severe is CVE-2018-20744?
CVE-2018-20744 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-20744?
Check the references section above for vendor advisories and patch information. Affected products include: Go Cors Project Go Cors.