CVE-2024-6221

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-6221
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-6221.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-6221
Aliases
Related
Published
2024-08-18T19:15:04Z
Modified
2024-12-04T23:45:42.041274Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

References

Affected packages

Debian:11 / python-flask-cors

Package

Name
python-flask-cors
Purl
pkg:deb/debian/python-flask-cors?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.9-2
3.0.10-1
3.0.10-2

4.*

4.0.0-1
4.0.1-1

5.*

5.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-flask-cors

Package

Name
python-flask-cors
Purl
pkg:deb/debian/python-flask-cors?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.10-2

4.*

4.0.0-1
4.0.1-1

5.*

5.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-flask-cors

Package

Name
python-flask-cors
Purl
pkg:deb/debian/python-flask-cors?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0-1

Affected versions

3.*

3.0.10-2

4.*

4.0.0-1
4.0.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}