CVE-2024-25124

Exploit

EPSS 0.66%
Veröffentlicht 21.02.2024 21:15:09
Zuletzt bearbeitet 05.02.2025 22:03:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials

Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 11

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gofiber ≫ Fiber SwPlatformgo Version < 2.52.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.66%	0.467

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.4	3.9	5.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

CWE-942 Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html

Third Party Advisory

Exploit

https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials

Technical Description

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

Technical Description

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

Technical Description

https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23

Patch

https://github.com/gofiber/fiber/releases/tag/v2.52.1

Release Notes

https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg

Vendor Advisory

Exploit

https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2024-25124

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-25124

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-25124

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-25124