Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oeHdoLWpwcDItODRwbc4AA-wj

Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Permalink: https://github.com/advisories/GHSA-hxwh-jpp2-84pm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oeHdoLWpwcDItODRwbc4AA-wj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 2 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-hxwh-jpp2-84pm, CVE-2024-6221
References:

Repository: https://github.com/corydolphin/flask-cors
Blast Radius: 32.1

Affected Packages

pypi:Flask-Cors

Dependent packages: 437
Dependent repositories: 18,926
Downloads: 13,069,983 last month
Affected Version Ranges: < 4.0.2
Fixed in: 4.0.2
All affected versions: 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 4.0.0, 4.0.1
All unaffected versions: 4.0.2, 5.0.0