漏洞标题
Fiber 有不安全的 CORS 配置,允许带凭据的 wildcard 始发地。
漏洞描述信息
Fiber是一个用Go编写的Web框架。在2.52.1版本之前,CORS中间件允许不安全的配置,这可能导致应用程序暴露于多个与CORS相关的漏洞中。具体来说,它允许设置Access-Control-Allow-Origin头为通配符(*),同时Access-Control-Allow-Credentials也设置为true,这违背了推荐的安全最佳实践。这种配置错误的影响很高,因为它可能导致未经授权访问敏感用户数据,并使系统面临PortSwigger文章(参考文献中的链接)中列出的各种类型的攻击。2.52.1版本包含针对此问题的补丁。作为一种临时解决方案,用户可以手动验证其实现中的CORS配置,以确保在启用凭据时不允许使用通配符来源。浏览器fetch API以及强制执行CORS策略的浏览器和工具不受此影响。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
漏洞类别
授权机制不正确
漏洞标题
Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
漏洞描述信息
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
漏洞类别
源验证错误
漏洞标题
Fiber 安全漏洞
漏洞描述信息
Fiber是一款使用Go语言编写的开源Web框架。 Fiber 2.52.1之前版本存在安全漏洞,该漏洞源于允许不安全的配置,可能导致对敏感用户数据的未经授权访问。
CVSS信息
N/A
漏洞类别
其他