Bug 2158262 (CVE-2017-20146) - CVE-2017-20146 gorilla: Usage of the CORS handler may apply improper CORS headers
Summary: CVE-2017-20146 gorilla: Usage of the CORS handler may apply improper CORS hea...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-20146
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2156768
TreeView+ depends on / blocked
 
Reported: 2023-01-04 20:08 UTC by Anten Skrabec
Modified: 2023-01-08 00:00 UTC (History)
89 users (show)

Fixed In Version: github.com/gorilla/handlers 1.3.0
Doc Type: ---
Doc Text:
A flaw was found in Gorilla. Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
Clone Of:
Environment:
Last Closed: 2023-01-08 00:00:41 UTC
Embargoed:

Attachments (Terms of Use)

Description Anten Skrabec 2023-01-04 20:08:08 UTC 
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.

https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
https://github.com/gorilla/handlers/pull/116
https://pkg.go.dev/vuln/GO-2020-0020
Comment 1 Product Security DevOps Team 2023-01-08 00:00:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-20146
Note You need to log in before you can comment on or make changes to this bug.