Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: denial of service in github.com/rs/cors #2883

Closed
1 task done
jub0bs opened this issue May 26, 2024 · 2 comments
Closed
1 task done

x/vulndb: denial of service in github.com/rs/cors #2883

jub0bs opened this issue May 26, 2024 · 2 comments
Assignees
@tatianab
Labels
Direct External Report

Comments

@jub0bs
Copy link

jub0bs commented May 26, 2024
edited
Loading

Acknowledgement

  • The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

Middleware cause a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Affected Modules, Packages, Versions and Symbols

Module: github.com/rs/cors
Package: github.com/rs/cors
Versions:
  - Introduced: 1.9.0
  - Fixed: 1.11.0
Symbols:
  - AllowAll
  - Default
  - Cors
  - New

Fix Commit or Pull Request

rs/cors#171

References
@tatianab tatianab self-assigned this May 28, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/595963 mentions this issue: data/reports: add GO-2024-2883

@jub0bs jub0bs mentioned this issue Jul 5, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 5, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/597156 mentions this issue: data/reports: update 2 reports

gopherbot pushed a commit that referenced this issue Jul 9, 2024
@tatianab
data/reports: update 2 reports
002e9e9 
Add GHSAs for reports we created.

  - data/reports/GO-2024-2567.yaml
  - data/reports/GO-2024-2883.yaml

Updates #2567
Updates #2883
Fixes #2976
Fixes #2975

Change-Id: I4c4a975148abd1e81fd75dd2d74c8e9951f568b1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/597156
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Tim King <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
Direct External Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @jub0bs