CVE-2022-1996: Authorization Bypass Through User-Controlled Key in emicklei/go-restful
First published: Mon Jun 06 2022(Updated: )
A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift-serverless-clients | <0:1.3.1-4.el8 | 0:1.3.1-4.el8 |
| redhat/openshift-gitops-kam | <0:1.8.3-6.el8 | 0:1.8.3-6.el8 |
| redhat/openshift-gitops-kam | <0:1.9.0-102.el8 | 0:1.9.0-102.el8 |
| redhat/go-restful | <3.8.0 | 3.8.0 |
| IBM Db2 Warehouse | <=v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4 | |
| go-restful | <2.16.0 | |
| go-restful | >=3.0.0<3.8.0 | |
| Red Hat Fedora | =35 | |
| Red Hat Fedora | =36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-1996 https://nvd.nist.gov/vuln/detail/CVE-2022-1996
- https://bugzilla.redhat.com/show_bug.cgi?id=2094982
- https://access.redhat.com/errata/RHSA-2023:0814
- https://access.redhat.com/errata/RHSA-2022:6040
- https://access.redhat.com/errata/RHSA-2022:6042
- https://access.redhat.com/errata/RHSA-2023:3229
- https://access.redhat.com/errata/RHSA-2023:3557
- https://access.redhat.com/errata/RHSA-2022:6351
- https://access.redhat.com/errata/RHSA-2022:8609
- https://access.redhat.com/security/cve/cve-2022-1996
- https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10
- https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://security.netapp.com/advisory/ntap-20220923-0005/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097966
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097965
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097968
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097969
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097970
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097971
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097972
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097973
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097974
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097975
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097976
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097977
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097978
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097979
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097980
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097981
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097982
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097967
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097983
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097984
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097987
- https://exchange.xforce.ibmcloud.com/vulnerabilities/228317
- https://www.ibm.com/support/pages/node/7155078 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-1996?
CVE-2022-1996 has been classified with a medium severity level due to its potential impact on CORS policy enforcement.
How do I fix CVE-2022-1996?
To remediate CVE-2022-1996, upgrade the go-restful package to version 3.8.0 or later.
What products are affected by CVE-2022-1996?
CVE-2022-1996 affects the go-restful package and specific versions of openshift-serverless-clients and openshift-gitops-kam.
Can CVE-2022-1996 allow attackers to exploit my application?
Yes, CVE-2022-1996 can allow attackers to bypass CORS policy, enabling malicious actions on behalf of users.
Is there a known workaround for CVE-2022-1996?
There are no reported workarounds for CVE-2022-1996; the recommended action is to apply the latest patch.
- collector/redhat-cve
- agent/type
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/first-publish-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1996
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- agent/source
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- package-manager/redhat
- vendor/ibm
- canonical/ibm db2 warehouse
- version/ibm db2 warehouse/v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4
- vendor/go-restful project
- canonical/go-restful
- version/go-restful/3.0.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/35
- version/red hat fedora/36