CVE-2017-11173: Improper Access Control

July 13, 2017 (updated March 3, 2020)

Missing anchor in generated regex for rack-cors allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.

References

nvd.nist.gov/vuln/detail/CVE-2017-11173
packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.html

Code Behaviors & Features

Detect and mitigate CVE-2017-11173 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →