GHSA-hxwh-jpp2-84pm

Suggest an improvement
Source
https://github.com/advisories/GHSA-hxwh-jpp2-84pm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-hxwh-jpp2-84pm/GHSA-hxwh-jpp2-84pm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hxwh-jpp2-84pm
Aliases
Related
Published
2024-08-18T21:31:07Z
Modified
2024-11-19T22:34:40.090966Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default
Details

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Database specific
{
    "nvd_published_at": "2024-08-18T19:15:04Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-19T18:25:39Z"
}
References

Affected packages

PyPI / flask-cors

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.2

Affected versions

1.*

1.0
1.1
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1
1.9.0
1.10.0
1.10.1
1.10.2
1.10.3

2.*

2.0.0rc1
2.0.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10

4.*

4.0.0a0
4.0.0
4.0.1