{"id":"CVE-2018-20744","details":"The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.","aliases":["GHSA-927h-x4qj-r242","GO-2023-1792"],"modified":"2026-03-15T22:19:53.719807Z","published":"2019-01-28T08:29:00.230Z","references":[{"type":"ADVISORY","url":"https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdf"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106834"},{"type":"REPORT","url":"https://github.com/rs/cors/issues/55"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rs/cors","events":[{"introduced":"0"},{"last_affected":"feef513b9575b32f84bafa580aad89b011259019"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3.0"}]}}],"versions":["v1.0","v1.1","v1.2","v1.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20744.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}