UBUNTU-CVE-2024-6221

Source
https://ubuntu.com/security/CVE-2024-6221
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6221.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-6221
Related
Published
2024-08-18T19:15:00Z
Modified
2024-10-15T14:17:22Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

References

Affected packages

Ubuntu:20.04:LTS / python-flask-cors

Package

Name
python-flask-cors
Purl
pkg:deb/ubuntu/python-flask-cors?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.8-2
3.0.8-2ubuntu0.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / python-flask-cors

Package

Name
python-flask-cors
Purl
pkg:deb/ubuntu/python-flask-cors?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.9-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / python-flask-cors

Package

Name
python-flask-cors
Purl
pkg:deb/ubuntu/python-flask-cors?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.0.0-1
4.0.1-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / python-flask-cors

Package

Name
python-flask-cors
Purl
pkg:deb/ubuntu/python-flask-cors?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.0.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}