Sha256: 3db8562ce4961322bfdd621ec70836fdfcc54e85265a3a6d02f7357a0b5e614a

Contents?: true

Size: 716 Bytes

Versions: 3

Compression:

Stored size: 716 Bytes

Contents

---
gem: rack-cors
cve: 2017-11173
date: 2015-07-13
url: https://github.com/cyu/rack-cors/issues/86
title: rack-cors Gem Missing Anchor permits unauthorized CORS requests
description: |
  Missing anchor in generated regex for rack-cors before 0.4.1
  allows a malicious third-party site to perform CORS requests.
  If the configuration were intended to allow only the trusted
  example.com domain name and not the malicious example.net domain name,
  then example.com.example.net (as well as example.com-example.net) would
  be inadvertently allowed.

cvss_v2: 6.8
patched_versions:
  - ">= 0.4.1"
related:
  url:
    - https://github.com/cyu/rack-cors/issues/86
    - http://seclists.org/fulldisclosure/2017/Jul/22

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/rack-cors/CVE-2017-11173.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/rack-cors/CVE-2017-11173.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/rack-cors/CVE-2017-11173.yml