Authentication mechanism absence or evasion In openssl-encrypt
Description
openssl-encrypt has CORS wildcard with allow_credentials=True in standalone servers
Summary
Both standalone servers configure CORS with allow_origins=["*"], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"].
Affected Code
# server/telemetry-server/app/main.py:23-29 app.add_middleware( CORSMiddleware, allow_origins=settings.cors_origins, # defaults to ["*"] allow_credentials=True, allow_methods=["*"], allow_headers=["*"], )...
The docker-compose file (openssl_encrypt_server/docker-compose.yml:75) also defaults CORS_ORIGINS to *, and .env.example ships with CORS_ORIGINS=*.
Impact
This is the most permissive CORS configuration possible, allowing any website to make fully credentialed cross-origin requests to the API. An attacker's website could make authenticated API calls on behalf of any user who visits it.
Recommended Fix
Remove wildcard defaults — require explicit origin configuration
Never combine allow_origins=["*"] with allow_credentials=True
Update .env.example with placeholder domains instead of *
Fix
Fixed in commit 809416b on branch releases/1.4.x — changed CORS default from ["*"] to [] in both key-server and telemetry-server; added validation rejecting wildcard when debug=False.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 1.4.0 |
Aliases
References