CVE-2024-25124

CRITICAL Year: 2024
CVSS v3 Score
9.8
Critical
Weakness Type
CWE-346
View all →

Vulnerability Description

Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.

Related Vulnerabilities

CVE-2000-1218

CRITICAL
CVSS:9.8(Critical)

The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts tha...

CWE-3462000

CVE-2003-0174

CRITICAL
CVSS:9.8(Critical)

The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a passw...

CWE-3462003

CVE-2017-13274

CRITICAL
CVSS:9.8(Critical)

In the getHost() function of UriTest.java, there is the possibility of incorrect web origin determination. This could lead to incorrect security decisions with no additional execution privileges neede...

CWE-3462017

CVE-2017-20146

CRITICAL
CVSS:9.8(Critical)

Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the...

CWE-3462017

CVE-2018-15723

CRITICAL
CVSS:9.8(Critical)

The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to ex...

CWE-3462018

CVE-2018-5116

CRITICAL
CVSS:9.8(Critical)

WebExtensions with the "ActiveTab" permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins ...

CWE-3462018