High severity8.8NVD Advisory· Published Jul 13, 2017· Updated Jun 17, 2026
CVE-2017-11173
CVE-2017-11173
Description
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rack-corsRubyGems | < 0.4.1 | 0.4.1 |
Affected products
3Patches
Vulnerability mechanics
References
6- github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6nvdPatchThird Party AdvisoryWEB
- seclists.org/fulldisclosure/2017/Jul/22nvdMailing ListThird Party AdvisoryWEB
- www.debian.org/security/2017/dsa-3931nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-2j9c-9vmv-7m39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-11173ghsaADVISORY
- packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.htmlnvdThird Party AdvisoryVDB EntryWEB
News mentions
0No linked articles in our index yet.