Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-G27J-74FP-XFPR
HistoryApr 05, 2022 - 6:31 p.m.

Insecure default value for CORS configuration

2022-04-0518:31:22
Google
osv.dev
5
cors
configuration
unauthorized access
environment variables
directus
security advisory

EPSS

0.002

Percentile

57.7%

JSON

Impact

The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn’t been changed.

Patches

The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0

Workarounds

Configure the CORS environment variables to match your project’s usage, rather than leaving them at the (permissive) defaults.

For more information

If you have any questions or comments about this advisory:

Related

prion 1
github 1
nvd 1
osv 1
veracode 1
cvelist 1
cve 1
prion
prion
Default configuration
2022-12-26 06:15:00
github
github
Insecure default value for CORS configuration
2022-04-05 18:31:22
nvd
nvd
CVE-2022-26969
2022-12-26 06:15:10
osv
osv
CVE-2022-26969
2022-12-26 06:15:10
veracode
veracode
Insecure Defaults
2022-04-07 05:25:43
cvelist
cvelist
CVE-2022-26969
2022-12-26 00:00:00
cve
cve
CVE-2022-26969
2022-12-26 06:15:10

EPSS

0.002

Percentile

57.7%

JSON
Related for OSV:GHSA-G27J-74FP-XFPR
prion1github1nvd1osv1veracode1cvelist1cve1