Description
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2017/Jul/22
Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3931
Scores
CVSS v3
8.8
EPSS
0.0175
EPSS Percentile
82.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
Status
published
Products (3)
debian/debian_linux
9.0
rack-cors_project/rack-cors
< 0.4.1
rubygems/rack-cors
0 - 0.4.1RubyGems
Published
Jul 13, 2017
Tracked Since
Feb 18, 2026