|
|
Message-ID: <7ed5e33c-2a5b-2d1c-aed7-7751eea53799@apache.org> Date: Wed, 08 Jul 2026 17:30:14 +0000 From: Junkai Xue <jxue@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2026-57111: Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin Severity: low Affected versions: - Apache Helix REST (org.apache.helix:helix-rest) through 2.0.0 Description: Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, org.apache.helix.rest.server.filters.CORSFilter) in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin requests to administrative REST endpoints via a cross-origin request from an arbitrary origin, since the filter unconditionally returns Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true and reflects arbitrary Access-Control-Request-Method / Access-Control-Request-Headers values in preflight responses. Users are recommended to upgrade to version 2.0.1, which fixes this issue. Credit: Aastha Aggarwal (reporter) References: https://helix.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-57111
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.