CVE-2019-25211 Information

Description

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string e.g. https://example.community/ is allowed when the intention is that only https://example.com/ should be allowed and http://localhost.example.com/ is allowed when the intention is that only http://localhost/ should be allowed.

Reference

https://github.com/gin-contrib/cors/pull/57 https://github.com/gin-contrib/cors/pull/106 https://github.com/gin-contrib/cors/compare/v1.5.0…v1.6.0 https://github.com/gin-contrib/cors/releases/tag/v1.6.0 https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d