CVE-2017-20146

Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GoCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
VendorProductVersion
gorillatoolkithandlers
𝑥
< 1.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-gorilla-handlers
bullseye
1.4.2-1
fixed
bookworm
1.5.1-3
fixed
sid
1.5.2-1
fixed
trixie
1.5.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-coreos-discovery-etcd-io
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
dne
xenial
ignored
trusty
ignored
golang-github-gorilla-handlers
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
https://github.com/gorilla/handlers/pull/116
https://pkg.go.dev/vuln/GO-2020-0020
https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
https://github.com/gorilla/handlers/pull/116
https://pkg.go.dev/vuln/GO-2020-0020