CVE-2022-1996 – Authorization Bypass Through User-Controlled Key in emicklei/go-restful

https://notcve.org/view.php?id=CVE-2022-1996

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0. Una Omisión de la Autorización Mediante una Clave Controlada por el Usuario en el repositorio GitHub emicklei/go-restful versiones anteriores a v3.8.0 A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users. • https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6 https://lists.fedoraproject.org/archi • CWE-639: Authorization Bypass Through User-Controlled Key •