rpm package
opensuse/python-Flask-Cors&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-Flask-Cors&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-6866 | — | < 6.0.2-1.1 | 6.0.2-1.1 | Mar 20, 2025 | corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but t | ||
| CVE-2024-6844 | — | < 6.0.2-1.1 | 6.0.2-1.1 | Mar 20, 2025 | A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads | ||
| CVE-2024-6839 | — | < 6.0.2-1.1 | 6.0.2-1.1 | Mar 20, 2025 | corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This misma | ||
| CVE-2024-1681 | — | < 4.0.1-1.1 | 4.0.1-1.1 | Apr 19, 2024 | corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to co | ||
| CVE-2020-25032 | — | < 3.0.10-1.3 | 3.0.10-1.3 | Aug 31, 2020 | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. |
- CVE-2024-6866Mar 20, 2025affected < 6.0.2-1.1fixed 6.0.2-1.1
corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but t
- CVE-2024-6844Mar 20, 2025affected < 6.0.2-1.1fixed 6.0.2-1.1
A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads
- CVE-2024-6839Mar 20, 2025affected < 6.0.2-1.1fixed 6.0.2-1.1
corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This misma
- CVE-2024-1681Apr 19, 2024affected < 4.0.1-1.1fixed 4.0.1-1.1
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to co
- CVE-2020-25032Aug 31, 2020affected < 3.0.10-1.3fixed 3.0.10-1.3
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.