PYSEC-2024-71

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/flask-cors/PYSEC-2024-71.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2024-71
Aliases
Published
2024-08-18T19:15:00Z
Modified
2024-09-09T07:59:30.591275Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability in corydolphin/flask-cors up to version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

References

Affected packages

PyPI / flask-cors

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.2

Affected versions

1.*

1.0
1.1
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1
1.9.0
1.10.0
1.10.1
1.10.2
1.10.3

2.*

2.0.0rc1
2.0.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10

4.*

4.0.0a0
4.0.0
4.0.1