CVE-2019-25211

Publication date 29 June 2024

Last updated 24 July 2024

Ubuntu priority

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
golang-github-gin-contrib-cors	24.04 LTS noble	Needs evaluation
	23.10 mantic	Ignored
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2019-25211
https://github.com/gin-contrib/cors/pull/57
https://github.com/gin-contrib/cors/pull/106
https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
https://github.com/gin-contrib/cors/releases/tag/v1.6.0
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d