SCA: security update for github.com/zeromicro/go-zero (GHSA-fgxv-gw55-r5fq)

critical Tenable Self-Hosted Container Security Plugin ID 414512

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- go-zero is a web and rpc framework. Go-zero allows user to specify a CORS Filter with a configurable
allows param - which is an array of domains allowed in CORS policy. However, the `isOriginAllowed` uses
`strings.HasSuffix` to check the origin, which leads to bypass via a malicious domain. This vulnerability
is capable of breaking CORS policy and thus allowing any page to make requests and/or retrieve data on
behalf of other users. Version 1.4.4 fixes this issue. (CVE-2024-27302)

Solution

Update the github.com/zeromicro/go-zero library and its related packages to version 1.4.4 or later.

See Also

https://github.com/advisories/GHSA-fgxv-gw55-r5fq

Plugin Details

Severity: Critical

ID: 414512

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2024-27302

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/4/2024

Vulnerability Publication Date: 3/4/2024

Reference Information

CVE: CVE-2024-27302

cwe: CWE-639