CVE-2017-20146 – github.com/gorilla/handlers

Package

Manager: go
Name: github.com/gorilla/handlers
Vulnerable Version: >=0 <1.3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00059 pctl0.18414

Details

gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.

Metadata

Created: 2022-12-28T00:30:23Z
Modified: 2023-01-10T15:59:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-jcr6-mmjj-pchw/GHSA-jcr6-mmjj-pchw.json
CWE IDs: ["CWE-346"]
Alternative ID: GHSA-jcr6-mmjj-pchw
Finding: F184
Auto approve: 1