CVE-2024-25124

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-25124
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.

9.4 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23
https://github.com/gofiber/fiber/releases/tag/v2.52.1
https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg
https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true
Configurations

No configuration.

History

22 Feb 2024, 19:07

Type Values Removed Values Added
Summary
  • (es) Fiber es un framework web escrito en go. Antes de la versión 2.52.1, el middleware CORS permitía configuraciones inseguras que podrían exponer la aplicación a múltiples vulnerabilidades relacionadas con CORS. Específicamente, permite establecer el encabezado Access-Control-Allow-Origin en un comodín (`*`) y al mismo tiempo tener Access-Control-Allow-Credentials establecido en verdadero, lo que va en contra de las mejores prácticas de seguridad recomendadas. El impacto de esta mala configuración es alto, ya que puede conducir a un acceso no autorizado a datos confidenciales del usuario y exponer el sistema a varios tipos de ataques enumerados en el artículo de PortSwigger vinculado en las referencias. La versión 2.52.1 contiene un parche para este problema. Como workaround, los usuarios pueden validar manualmente las configuraciones de CORS en su implementación para asegurarse de que no permitan un origen comodín cuando las credenciales estén habilitadas. La API de recuperación del navegador, así como los navegadores y las utilidades que aplican las políticas CORS, no se ven afectados por esto.

21 Feb 2024, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-21 21:15

Updated : 2024-02-22 19:07

NVD link : CVE-2024-25124

Mitre link : CVE-2024-25124

CVE.ORG link : CVE-2024-25124

JSON object : View

Products Affected

No product.

CWE
CWE-346

Origin Validation Error

CWE-942

Permissive Cross-domain Policy with Untrusted Domains