CVE-2017-11173 Information
Feb 14, 2021
cve
Description
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Reference
http://seclists.org/fulldisclosure/2017/Jul/22 http://www.debian.org/security/2017/dsa-3931 https://github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6 https://packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.html
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: