RubyGems package
rack-cors
pkg:gem/rack-cors
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-27456 | — | >= 2.0.1, < 2.0.2 | 2.0.2 | Feb 26, 2024 | rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for the .rb files. | ||
| CVE-2019-18978 | — | < 1.0.4 | 1.0.4 | Nov 14, 2019 | An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. | ||
| CVE-2017-11173 | Hig | 8.8 | < 0.4.1 | 0.4.1 | Jul 13, 2017 | Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example. |
- CVE-2024-27456Feb 26, 2024affected >= 2.0.1, < 2.0.2fixed 2.0.2
rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for the .rb files.
- CVE-2019-18978Nov 14, 2019affected < 1.0.4fixed 1.0.4
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
- affected < 0.4.1fixed 0.4.1
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.