parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/gin-gonic/gin(Go) | 0 | 1.6.0 | N/A |
| github.com/gin-contrib/cors(Go) | 0 | 1.6.0 | N/A |
CVSS Metrics
