Gin mishandles a wildcard at the end of an origin string
Moderate severity
GitHub Reviewed
Published
Jun 29, 2024
to the GitHub Advisory Database
•
Updated Jul 5, 2024
Description
Published by the National Vulnerability Database
Jun 29, 2024
Published to the GitHub Advisory Database
Jun 29, 2024
Reviewed
Jul 1, 2024
Last updated
Jul 5, 2024
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
References