CVE-2020-10591: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Walmart Labs Concord versions prior to 1.44.0. The issue involves CORS (Cross-Origin Resource Sharing) Access-Control-Allow-Origin headers having an unsafe dependency on Origin headers, with no configuration options available. This vulnerability was assigned CVE-2020-10591 and was disclosed on March 15, 2020 (NVD, MITRE).

The vulnerability stems from improper implementation of CORS headers in the API endpoint api/v1/apikey. The CVSS v3.1 base score is 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high-severity issue with network access vector, low attack complexity, and no privileges or user interaction required (NVD).

The vulnerability allows remote attackers to discover sensitive information including host information, nodes, API metadata, and references to usernames through the api/v1/apikey endpoint. An attacker can exploit this to obtain API keys of authenticated users by having them visit a malicious webpage (GitHub Issue).

The vulnerability was fixed in Concord version 1.44.0. Users should upgrade to this version or later to address the issue (GitHub Compare).