{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-25211", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-03T18:07:54.695Z", "dateReserved": "2024-06-28T00:00:00.000Z", "datePublished": "2024-06-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-28T23:38:39.161Z"}, "descriptions": [{"lang": "en", "value": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/gin-contrib/cors/pull/57"}, {"url": "https://github.com/gin-contrib/cors/pull/106"}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "CWE-346 Origin Validation Error"}]}], "affected": [{"vendor": "gin-contrib", "product": "cors", "cpes": ["cpe:2.3:a:gin-contrib:cors:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.6.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T15:33:30.863031Z", "id": "CVE-2019-25211", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T18:16:31.181Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://github.com/gin-contrib/cors/pull/57", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/pull/106", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T18:07:54.695Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/gin-contrib/cors/pull/57", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/pull/106", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T18:07:54.695Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2019-25211", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-09T15:33:30.863031Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gin-contrib:cors:*:*:*:*:*:*:*:*"], "vendor": "gin-contrib", "product": "cors", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:37:32.460Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/gin-contrib/cors/pull/57"}, {"url": "https://github.com/gin-contrib/cors/pull/106"}, {"url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}, {"url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}], "descriptions": [{"lang": "en", "value": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-28T23:38:39.161Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25211", "state": "PUBLISHED", "dateUpdated": "2025-11-03T18:07:54.695Z", "dateReserved": "2024-06-28T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-06-28T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."}, {"lang": "es", "value": "parseWildcardRules en el middleware CORS de Gin-Gonic anterior a la 1.6.0 maneja incorrectamente un comod\u00edn al final de una cadena de origen, por ejemplo, se permite https://example.community/* cuando la intenci\u00f3n es que solo se deber\u00eda permitir https://example.com/*, y se permite http://localhost.example.com/* cuando la intenci\u00f3n es que solo se deber\u00eda permitir http://localhost/*."}], "id": "CVE-2019-25211", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-29T00:15:02.107", "references": [{"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/pull/106"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/pull/57"}, {"source": "cve@mitre.org", "url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/pull/106"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/pull/57"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/gin-contrib/cors/releases/tag/v1.6.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7164", "cpe": "cpe:/a:redhat:rhmt:1.8::el8", "package": "rhmtc/openshift-migration-controller-rhel8:v1.8.4-22", "product_name": "Red Hat Migration Toolkit for Containers 1.8", "release_date": "2024-09-26T00:00:00Z"}], "bugzilla": {"description": "github.com/gin-contrib/cors: Gin mishandles a wildcard in the origin string in github.com/gin-contrib/cors", "id": "2295302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295302"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-346", "details": ["parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2019-25211", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-api-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-controller-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-openstack-populator-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-ova-provider-server-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-populator-controller-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-rhel8-operator", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-validation-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-virt-v2v-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-virt-v2v-warm-rhel8", "product_name": "Migration Toolkit for Virtualization"}], "public_date": "2024-07-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-25211\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-25211\nhttps://github.com/advisories/GHSA-869c-j7wc-8jqv\nhttps://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d\nhttps://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0\nhttps://github.com/gin-contrib/cors/pull/106\nhttps://github.com/gin-contrib/cors/pull/57\nhttps://github.com/gin-contrib/cors/releases/tag/v1.6.0"], "threat_severity": "Moderate"}

{}