CVE-2020-25032

An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type: GIT
Repo: https://github.com/rails/rails
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

15e2b5887f2185e01b8d92646a7f441b8c1c549e

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.13.1

v0.14.1

v0.14.3

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.4.1

v0.9.5

v1.*

v1.1.0

v1.1.0_RC1

v1.1.1

v2.*

v2.0.0

v2.0.0_PR

v2.0.0_RC1

v2.0.0_RC2

v2.0.1

v2.1.0

v2.1.0_RC1

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.3.2.1

v3.*

v3.0.0

v3.0.0.beta.2

v3.0.0.beta.3

v3.0.0.beta1

v3.0.0.beta2

v3.0.0.beta3

v3.0.0.beta4

v3.0.0_RC

v3.0.0_RC2

v3.0.2

v3.0.3

v3.0.4

v3.0.4.rc1

v3.0.5

v3.0.5.rc1

v3.0.6

v3.0.6.rc1

v3.0.6.rc2

v3.0.7

v3.0.7.rc1

v3.0.7.rc2

v3.0.8

v3.0.8.rc1

v3.0.8.rc2

v3.0.8.rc3

v3.0.8.rc4

v3.0.9.rc1

v3.0.9.rc2

v3.0.9.rc3

v3.0.9.rc4

v3.0.9.rc5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25032.json"