CVE-2016-10549

描述

Affected versions of `sails` have an issue with the CORS configuration where the value of the origin header is reflected as the value for the `Access-Control-Allow-Origin` header. This may allow an attacker to make AJAX requests to vulnerable hosts through cross-site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. ## Mitigating Factors This is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided, because at that point authenticated cross domain requests are possible. ## Recommendation Update to version 0.12.7 or later. As this vulnerability is primarily a user error, the patch for the vulnerability will simply cause the application to write an error message to the console when a vulnerable configuration is used in a production environment. Writing a proper CORS configuration is still the responsibility of the user, so it is necessary to check for the error message after installing the patch. Be sure you are not using `allRoutes: true` with `origin:'*'`, and that you uncomment `origin` and set it to a reasonable value. Ensure that if `origin` is set to `*` that you truly mean for all other websites to be able to make cross-domain requests to your API. Likewise, ensure `credentials` is uncommented out and set to the appropriate value. Make sure to explicitly set which origins may request resources via CORS.

如何修補 CVE-2016-10549

要修補 CVE-2016-10549,請將受影響套件升級到下列已修補版本。

• —升級至 0.12.7 或更新版本

CVE-2016-10549 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.12.7

參考連結(7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10549
• PATCHgithub.com/balderdashy/sails
• WEBsailsjs.org/documentation/concepts/security/cors
• WEBsailsjs.org/documentation/reference/configuration/sails-config-cors