CVE-2024-1681 – flask-cors

Package

Manager: pip
Name: flask-cors
Vulnerable Version: >=0 <4.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00174 pctl0.39191

Details

flask-cors vulnerable to log injection when the log level is set to debug corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Metadata

Created: 2024-04-19T21:31:08Z
Modified: 2024-05-07T13:28:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-84pr-m4jr-85g5/GHSA-84pr-m4jr-85g5.json
CWE IDs: ["CWE-117"]
Alternative ID: GHSA-84pr-m4jr-85g5
Finding: F091
Auto approve: 1