CVE-2017-20146: gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy

December 28, 2022 (updated December 30, 2022)

Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.

References

github.com/advisories/GHSA-jcr6-mmjj-pchw
github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145
github.com/gorilla/handlers/pull/116
nvd.nist.gov/vuln/detail/CVE-2017-20146
pkg.go.dev/vuln/GO-2020-0020

Detect and mitigate CVE-2017-20146 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →