1  info:
 2    name: feast
 3    cve: CVE-2024-11602
 4    summary: Insecure CORS configuration in feast-dev/feast version 0.40.0
 5    details: |
 6      A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0.
 7      The CORS configuration on the agentscope server does not properly restrict access to only trusted origins,
 8      allowing any external domain to make requests to the API. This can bypass intended security controls
 9      and potentially expose sensitive information.
10    cvss: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
11    severity: HIGH
12    security_advise: |
13      1. Upgrade to feast-dev/feast version 0.40.1 or later.
14      2. Review and modify the CORS configuration to restrict access to trusted origins only.
15      3. Implement additional security controls to prevent unauthorized API access.
16  rule: version == "0.40.0"
17  references:
18    - https://nvd.nist.gov/vuln/detail/CVE-2024-11602
19    - https://huntr.com/bounties/7b24ecbe-0af7-4125-ab56-bce09786042e