An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python3-flask-cors": "3.0.8-2ubuntu0.1" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python3-flask-cors": "3.0.9-2" } ] }