CVE-2019-25211

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.

Weakness

The product does not properly verify that the source of data or communication is valid.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/111.html
• https://cwe.mitre.org/data/definitions/141.html
• https://cwe.mitre.org/data/definitions/142.html
• https://cwe.mitre.org/data/definitions/160.html
• https://cwe.mitre.org/data/definitions/21.html
• https://cwe.mitre.org/data/definitions/384.html
• https://cwe.mitre.org/data/definitions/385.html
• https://cwe.mitre.org/data/definitions/386.html
• https://cwe.mitre.org/data/definitions/387.html
• https://cwe.mitre.org/data/definitions/388.html
• https://cwe.mitre.org/data/definitions/510.html
• https://cwe.mitre.org/data/definitions/59.html
• https://cwe.mitre.org/data/definitions/60.html
• https://cwe.mitre.org/data/definitions/75.html
• https://cwe.mitre.org/data/definitions/76.html
• https://cwe.mitre.org/data/definitions/89.html

References

• https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
• https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
• https://github.com/gin-contrib/cors/pull/106
• https://github.com/gin-contrib/cors/pull/57
• https://github.com/gin-contrib/cors/releases/tag/v1.6.0
• https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
• https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
• https://github.com/gin-contrib/cors/pull/106
• https://github.com/gin-contrib/cors/pull/57
• https://github.com/gin-contrib/cors/releases/tag/v1.6.0