Improper Access Control Affecting rack-cors package, versions <1.0.0
Snyk CVSS
Attack Complexity
High
User Interaction
Required
Scope
Changed
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-RACKCORS-540775
- published 6 Jan 2020
- disclosed 27 Sep 2016
- credit Evan J Johnson
How to fix?
Upgrade rack-cors
to version 1.0.0 or higher.
Overview
rack-cors is a Rack Middleware for handling Cross-Origin Resource Sharing (CORS), which makes cross-origin AJAX possible.
Affected versions of this package are vulnerable to Improper Access Control. Setting origin: '*' reflects the origin header as oppose to returning: Access-Control-Allow-Origin: *
. Defaulting to Access-Control-Allow-Credentials: true
is also inherently insecure, and when combined with this unexpected reflection of the origin header means sites are configured without a SAMEORIGIN
policy.