CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27456
https://notcve.org/view.php?id=CVE-2024-27456
26 Feb 2024 — rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for the .rb files. rack-cors (también conocido como Rack CORS Middleware) 2.0.1 tiene permisos 0666 para los archivos .rb. • https://github.com/cyu/rack-cors/issues/274 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2019-18978 – Debian Security Advisory 4918-1
https://notcve.org/view.php?id=CVE-2019-18978
14 Nov 2019 — An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. Se descubrió un problema en la gema rack-cors (también se conoce como Rack CORS Middleware) versiones anteriores a la versión 1.0.4 para Ruby. Permite que un salto de directorio ../ acceda a recursos privados porque la coincidencia de recursos no garantiza que los nombre... • https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2017-11173
https://notcve.org/view.php?id=CVE-2017-11173
13 Jul 2017 — Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed. La falta de anclaje en la expresión regular (regex) generada para rack-cors anterior a versión 0.4.1 permite que un sitio de terceros malicioso realice peticio... • http://seclists.org/fulldisclosure/2017/Jul/22 •