CVE-2024-25124

{"id": "CVE-2024-25124", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-02-21T21:15:09.250", "references": [{"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true", "tags": ["Broken Link"], "source": "security-advisories@github.com"}, {"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials", "tags": ["Technical Description"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials", "tags": ["Technical Description"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials", "tags": ["Technical Description"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-942"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this."}, {"lang": "es", "value": "Fiber es un framework web escrito en go. Antes de la versi\u00f3n 2.52.1, el middleware CORS permit\u00eda configuraciones inseguras que podr\u00edan exponer la aplicaci\u00f3n a m\u00faltiples vulnerabilidades relacionadas con CORS. Espec\u00edficamente, permite establecer el encabezado Access-Control-Allow-Origin en un comod\u00edn (`*`) y al mismo tiempo tener Access-Control-Allow-Credentials establecido en verdadero, lo que va en contra de las mejores pr\u00e1cticas de seguridad recomendadas. El impacto de esta mala configuraci\u00f3n es alto, ya que puede conducir a un acceso no autorizado a datos confidenciales del usuario y exponer el sistema a varios tipos de ataques enumerados en el art\u00edculo de PortSwigger vinculado en las referencias. La versi\u00f3n 2.52.1 contiene un parche para este problema. Como workaround, los usuarios pueden validar manualmente las configuraciones de CORS en su implementaci\u00f3n para asegurarse de que no permitan un origen comod\u00edn cuando las credenciales est\u00e9n habilitadas. La API de recuperaci\u00f3n del navegador, as\u00ed como los navegadores y las utilidades que aplican las pol\u00edticas CORS, no se ven afectados por esto."}], "lastModified": "2025-02-05T22:03:51.013", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "FE99D46C-AA78-4C2D-B608-48B3FAAB2882", "versionEndExcluding": "2.52.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}