CVE-2024-25124 (GCVE-0-2024-25124)
Vulnerability from cvelistv5
Published
2024-02-21 21:01
Modified
2024-08-26 14:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
},
{
"name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
},
{
"name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
},
{
"name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
},
{
"name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
},
{
"name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
},
{
"name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"lessThan": "2.52.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25124",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:40:32.534976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:39:19.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 2.52.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T21:01:44.672Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
},
{
"name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
},
{
"name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
},
{
"name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
},
{
"name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
},
{
"name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
"tags": [
"x_refsource_MISC"
],
"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
},
{
"name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
}
],
"source": {
"advisory": "GHSA-fmg4-x8pw-hjhg",
"discovery": "UNKNOWN"
},
"title": "Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25124",
"datePublished": "2024-02-21T21:01:44.672Z",
"dateReserved": "2024-02-05T14:14:46.380Z",
"dateUpdated": "2024-08-26T14:39:19.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-25124\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-21T21:15:09.250\",\"lastModified\":\"2025-02-05T22:03:51.013\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.\"},{\"lang\":\"es\",\"value\":\"Fiber es un framework web escrito en go. Antes de la versi\u00f3n 2.52.1, el middleware CORS permit\u00eda configuraciones inseguras que podr\u00edan exponer la aplicaci\u00f3n a m\u00faltiples vulnerabilidades relacionadas con CORS. Espec\u00edficamente, permite establecer el encabezado Access-Control-Allow-Origin en un comod\u00edn (`*`) y al mismo tiempo tener Access-Control-Allow-Credentials establecido en verdadero, lo que va en contra de las mejores pr\u00e1cticas de seguridad recomendadas. El impacto de esta mala configuraci\u00f3n es alto, ya que puede conducir a un acceso no autorizado a datos confidenciales del usuario y exponer el sistema a varios tipos de ataques enumerados en el art\u00edculo de PortSwigger vinculado en las referencias. La versi\u00f3n 2.52.1 contiene un parche para este problema. Como workaround, los usuarios pueden validar manualmente las configuraciones de CORS en su implementaci\u00f3n para asegurarse de que no permitan un origen comod\u00edn cuando las credenciales est\u00e9n habilitadas. La API de recuperaci\u00f3n del navegador, as\u00ed como los navegadores y las utilidades que aplican las pol\u00edticas CORS, no se ven afectados por esto.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"},{\"lang\":\"en\",\"value\":\"CWE-942\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"2.52.1\",\"matchCriteriaId\":\"FE99D46C-AA78-4C2D-B608-48B3FAAB2882\"}]}]}],\"references\":[{\"url\":\"http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://fetch.spec.whatwg.org/#cors-protocol-and-credentials\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gofiber/fiber/releases/tag/v2.52.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://fetch.spec.whatwg.org/#cors-protocol-and-credentials\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gofiber/fiber/releases/tag/v2.52.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg\", \"name\": \"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23\", \"name\": \"https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials\", \"name\": \"https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://fetch.spec.whatwg.org/#cors-protocol-and-credentials\", \"name\": \"https://fetch.spec.whatwg.org/#cors-protocol-and-credentials\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/gofiber/fiber/releases/tag/v2.52.1\", \"name\": \"https://github.com/gofiber/fiber/releases/tag/v2.52.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true\", \"name\": \"https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html\", \"name\": \"http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:36:21.623Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-25124\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-22T16:40:32.534976Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*\"], \"vendor\": \"gofiber\", \"product\": \"fiber\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.52.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-26T14:39:07.296Z\"}}], \"cna\": {\"title\": \"Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials\", \"source\": {\"advisory\": \"GHSA-fmg4-x8pw-hjhg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gofiber\", \"product\": \"fiber\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.52.1\"}]}], \"references\": [{\"url\": \"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg\", \"name\": \"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23\", \"name\": \"https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials\", \"name\": \"https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://fetch.spec.whatwg.org/#cors-protocol-and-credentials\", \"name\": \"https://fetch.spec.whatwg.org/#cors-protocol-and-credentials\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gofiber/fiber/releases/tag/v2.52.1\", \"name\": \"https://github.com/gofiber/fiber/releases/tag/v2.52.1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true\", \"name\": \"https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html\", \"name\": \"http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-942\", \"description\": \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-21T21:01:44.672Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-25124\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-26T14:39:19.825Z\", \"dateReserved\": \"2024-02-05T14:14:46.380Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-21T21:01:44.672Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…