CVE-2024-27302

06.03.2024, 19:15

go-zero is a web and rpc framework. Go-zero allows user to specify a CORS Filter with a configurable allows param - which is an array of domains allowed in CORS policy. However, the `isOriginAllowed` uses `strings.HasSuffix` to check the origin, which leads to bypass via a malicious domain. This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and/or retrieve data on behalf of other users. Version 1.4.4 fixes this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
GitHub_M	CNA	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Vendor	Product	Version
go-zero	go-zero	𝑥 < 1.4.4

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/zeromicro/go-zero/commit/d9d79e930dff6218a873f4f02115df61c38b15db

https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq

https://github.com/zeromicro/go-zero/commit/d9d79e930dff6218a873f4f02115df61c38b15db

https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq