Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NHByLW00anItODVnNc4AA7Nz
flask-cors vulnerable to log injection when the log level is set to debug
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.
Permalink: https://github.com/advisories/GHSA-84pr-m4jr-85g5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NHByLW00anItODVnNc4AA7Nz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 7 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-84pr-m4jr-85g5, CVE-2024-1681
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-1681
- https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644
- https://github.com/corydolphin/flask-cors/blob/40acc8092332dfed4bb54d7a4f89a6d479466de7/flask_cors/extension.py#L194
- https://github.com/advisories/GHSA-84pr-m4jr-85g5
Blast Radius: 22.7
Affected Packages
pypi:flask-cors
Dependent packages: 437Dependent repositories: 18,926
Downloads: 14,396,271 last month
Affected Version Ranges: <= 4.0.0
Fixed in: 4.0.1
All affected versions: 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 4.0.0
All unaffected versions: 4.0.1, 4.0.2, 5.0.0