Bug 1227346 (CVE-2019-25211)

Summary:	VUL-0: CVE-2019-25211: ollama: parseWildcardRules in Gin-Gonic CORS mishandles a wildcard at the end of an origin string
Product:	[openSUSE] openSUSE Distribution	Reporter:	SMASH SMASH <smash_bz>
Component:	Security	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	andrea.mattiazzo
Version:	Leap 15.6
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/412410/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-07-03 13:24:09 UTC

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-25211
https://www.cve.org/CVERecord?id=CVE-2019-25211
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
https://github.com/gin-contrib/cors/pull/106
https://github.com/gin-contrib/cors/pull/57
https://github.com/gin-contrib/cors/releases/tag/v1.6.0

Comment 1 Andrea Mattiazzo 2024-07-03 13:24:43 UTC

Already fixed, closing.

./go.mod:       github.com/gin-contrib/cors v1.7.2