{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-25211", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-14T18:16:31.181Z", "dateReserved": "2024-06-28T00:00:00.000Z", "datePublished": "2024-06-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-28T23:38:39.161Z"}, "descriptions": [{"lang": "en", "value": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/gin-contrib/cors/pull/57"}, {"url": "https://github.com/gin-contrib/cors/pull/106"}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "CWE-346 Origin Validation Error"}]}], "affected": [{"vendor": "gin-contrib", "product": "cors", "cpes": ["cpe:2.3:a:gin-contrib:cors:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.6.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T15:33:30.863031Z", "id": "CVE-2019-25211", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T18:16:31.181Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:19.391Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/gin-contrib/cors/pull/57", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/pull/106", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/gin-contrib/cors/pull/57", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/pull/106", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:19.391Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2019-25211", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-09T15:33:30.863031Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gin-contrib:cors:*:*:*:*:*:*:*:*"], "vendor": "gin-contrib", "product": "cors", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:37:32.460Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/gin-contrib/cors/pull/57"}, {"url": "https://github.com/gin-contrib/cors/pull/106"}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}], "descriptions": [{"lang": "en", "value": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-28T23:38:39.161Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25211", "state": "PUBLISHED", "dateUpdated": "2025-03-14T18:16:31.181Z", "dateReserved": "2024-06-28T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-06-28T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."}, {"lang": "es", "value": "parseWildcardRules en el middleware Gin-Gonic CORS anterior a 1.6.0 maneja mal un comod\u00edn al final de una cadena de origen, por ejemplo, https://example.community/* se permite cuando la intenci\u00f3n es que solo https://example.com/* debe permitirse, y http://localhost.example.com/* est\u00e1 permitido cuando la intenci\u00f3n es que solo se debe permitir http://localhost/*."}], "id": "CVE-2019-25211", "lastModified": "2025-03-14T19:15:39.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-29T00:15:02.107", "references": [{"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/pull/106"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/pull/57"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/pull/106"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/pull/57"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7164", "cpe": "cpe:/a:redhat:rhmt:1.8::el8", "package": "rhmtc/openshift-migration-controller-rhel8:v1.8.4-22", "product_name": "Red Hat Migration Toolkit for Containers 1.8", "release_date": "2024-09-26T00:00:00Z"}], "bugzilla": {"description": "github.com/gin-contrib/cors: Gin mishandles a wildcard in the origin string in github.com/gin-contrib/cors", "id": "2295302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295302"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-346", "details": ["parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2019-25211", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-api-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-controller-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-rhel8-operator", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-validation-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8", "product_name": "Migration Toolkit for Virtualization"}], "public_date": "2024-07-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-25211\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-25211\nhttps://github.com/advisories/GHSA-869c-j7wc-8jqv\nhttps://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d\nhttps://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0\nhttps://github.com/gin-contrib/cors/pull/106\nhttps://github.com/gin-contrib/cors/pull/57\nhttps://github.com/gin-contrib/cors/releases/tag/v1.6.0"], "threat_severity": "Moderate"}