CVE-2017-11173
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.
La falta de anclaje en la expresión regular (regex) generada para rack-cors anterior a versión 0.4.1 permite que un sitio de terceros malicioso realice peticiones CORS. Si la configuración estuviera destinada a permitir solo el nombre de dominio de confianza example.com y no el nombre de dominio malicioso example.net, entonces, podría ser permitido inadvertidamente example.com.example.net (así como example.com-example.net).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-07-11 CVE Reserved
- 2017-07-13 CVE Published
- 2023-05-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://seclists.org/fulldisclosure/2017/Jul/22 | Mailing List | |
https://packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.html | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6 | 2020-03-03 |
URL | Date | SRC |
---|---|---|
http://www.debian.org/security/2017/dsa-3931 | 2020-03-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rack-cors Project Search vendor "Rack-cors Project" | Rack-cors Search vendor "Rack-cors Project" for product "Rack-cors" | < 0.4.1 Search vendor "Rack-cors Project" for product "Rack-cors" and version " < 0.4.1" | ruby |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
|