8.8

CVE-2017-11173

Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Rack-cors ProjectRack-cors SwPlatformruby Version < 0.4.1
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.35% 0.814
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://seclists.org/fulldisclosure/2017/Jul/22
Third Party Advisory
Mailing List
http://www.debian.org/security/2017/dsa-3931
Third Party Advisory
https://github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6
Patch
Third Party Advisory
https://packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.html
Third Party Advisory
VDB Entry