Your message dated Tue, 20 May 2025 15:04:42 +0000
with message-id <e1uhowi-00b88s...@fasolo.debian.org>
and subject line Bug#1100988: fixed in python-flask-cors 6.0.0-1
has caused the Debian Bug report #1100988,
regarding python-flask-cors: CVE-2024-6866 CVE-2024-6844 CVE-2024-6839
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100988
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-flask-cors
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for python-flask-cors.
CVE-2024-6866[0]:
| corydolphin/flask-cors version 4.01 contains a vulnerability where
| the request path matching is case-insensitive due to the use of the
| `try_match` function, which is originally intended for matching
| hosts. This results in a mismatch because paths in URLs are case-
| sensitive, but the regex matching treats them as case-insensitive.
| This misconfiguration can lead to significant security
| vulnerabilities, allowing unauthorized origins to access paths meant
| to be restricted, resulting in data exposure and potential data
| leaks.
https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6
CVE-2024-6844[1]:
| A vulnerability in corydolphin/flask-cors version 4.0.1 allows for
| inconsistent CORS matching due to the handling of the '+' character
| in URL paths. The request.path is passed through the unquote_plus
| function, which converts the '+' character to a space ' '. This
| behavior leads to incorrect path normalization, causing potential
| mismatches in CORS configuration. As a result, endpoints may not be
| matched correctly to their CORS settings, leading to unexpected CORS
| policy application. This can cause unauthorized cross-origin access
| or block valid requests, creating security vulnerabilities and
| usability issues.
https://huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0
CVE-2024-6839[2]:
| corydolphin/flask-cors version 4.0.1 contains an improper regex path
| matching vulnerability. The plugin prioritizes longer regex patterns
| over more specific ones when matching paths, which can lead to less
| restrictive CORS policies being applied to sensitive endpoints. This
| mismatch in regex pattern priority allows unauthorized cross-origin
| access to sensitive data or functionality, potentially exposing
| confidential information and increasing the risk of unauthorized
| actions by malicious actors.
https://huntr.com/bounties/403eb1fc-86f4-4820-8eba-0f3dfae9f2b4
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6866
https://www.cve.org/CVERecord?id=CVE-2024-6866
[1] https://security-tracker.debian.org/tracker/CVE-2024-6844
https://www.cve.org/CVERecord?id=CVE-2024-6844
[2] https://security-tracker.debian.org/tracker/CVE-2024-6839
https://www.cve.org/CVERecord?id=CVE-2024-6839
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-flask-cors
Source-Version: 6.0.0-1
Done: Carsten Schoenert <c.schoen...@t-online.de>
We believe that the bug you reported is fixed in the latest version of
python-flask-cors, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <c.schoen...@t-online.de> (supplier of updated
python-flask-cors package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 20 May 2025 16:37:09 +0200
Source: python-flask-cors
Architecture: source
Version: 6.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Carsten Schoenert <c.schoen...@t-online.de>
Closes: 1100988
Changes:
python-flask-cors (6.0.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 6.0.0
Fixed CVE issues in upstream version 6.0.0:
CVE-2024-6839: Flask-CORS improper regex path matching vulnerability
CVE-2024-6844: Flask-CORS allows for inconsistent CORS matching
CVE-2024-6866: Flask-CORS vulnerable to Improper Handling of Case
Sensitivity
(Closes: #1100988)
Checksums-Sha1:
9415371a7921dc2ff7c7dc73f8306f8673fb2f27 2328 python-flask-cors_6.0.0-1.dsc
7102d0e930d6f148910456738436ebd421435cad 87271
python-flask-cors_6.0.0.orig.tar.gz
1f539ef5f2034b53781ef4035b1bde238de98942 7992
python-flask-cors_6.0.0-1.debian.tar.xz
dc7b61ce0608637600b2c590061fc87fe9d0f54d 8712
python-flask-cors_6.0.0-1_amd64.buildinfo
Checksums-Sha256:
57377c080cf179a1e655f8df6c7da19fd305f9f311819335e774adc7959c312b 2328
python-flask-cors_6.0.0-1.dsc
606b9431d3b9a1bf5ec84989a48a73330992e4183e070230e4bc7b0371d003aa 87271
python-flask-cors_6.0.0.orig.tar.gz
a64030d10df78a1343fc8af7f6ded704e9e09c3b816aa71ffeeedcb41f9d0759 7992
python-flask-cors_6.0.0-1.debian.tar.xz
79bc5f13219fa29c4ea555e009d705242dda1aed0d2846367c7b5b210adb144a 8712
python-flask-cors_6.0.0-1_amd64.buildinfo
Files:
9e09c1a34c8b0442fc6d5df23f24fa74 2328 python optional
python-flask-cors_6.0.0-1.dsc
2f30d577a88ef7f7ba11fe2d77168ec3 87271 python optional
python-flask-cors_6.0.0.orig.tar.gz
b304730499761284bf4e01609d0c6aa1 7992 python optional
python-flask-cors_6.0.0-1.debian.tar.xz
8b564d8b43bcb457b298549cae336871 8712 python optional
python-flask-cors_6.0.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJMBAEBCgA2FiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmgslvgYHGMuc2Nob2Vu
ZXJ0QHQtb25saW5lLmRlAAoJEIMBYBQlHR2w700P/3TqDhnnhhZs1oY5VYwzku6s
8sMZ8udnFlZk2iJNj8hjB21jGy2vFGdLtIF2L0lDUurjv51Eo3ML2V/Q3F8oPEIB
cvnWdY0r0S+toeM5OwZbcDGPRI24lo9eHMtMCIGQ9Hs2ej2i+G6BC47S7sr/RKAX
E6tQsuhsrfesm32FaIGEjfowJFIkPZp4O34B3jYyf31xdPy3s+9OFyMyvuqHuitN
pHg7wA8OcGJWxYD2Xx3FF/dR6qdti2K2krzoi0kXPnHoGaf8lOTnUvbgWbDbbKR2
lD5rr6bp40rvBAU2yVlf+4FwmH7GQ57RUoyrorwR59uLNP3yEfHrCpmQLixVSrm1
4LAk6qrfUi2hSzsnMYo+GfVDHWsYvbPEcRbJm1M1SG+JHVW8cqBBAp/HNYd8JR0I
EBftlzvjTDSMhT1iXCvwYeWdfHuftSAiyrNTSiChlSlxptAsGWBU+8ZdZYX9XYFT
O3IIcQ5HbEhqokPumfLAyjKxgszApymL1UaR83FnUqrvoDrLpj/N9r1VNfyvb9gq
w+LJmS6Pscpb07FrExKHFhRR0eg6OupRjRrmmBeYh/TJ+KLgxxUPYW2Dufv5Exqg
iGVV8h70LhUkSyz2pp/sBdtDX32rROBDCj6W5GLOZZH55AFIKer61BWNKqzW19Vn
o3LcapF9C0tURvpioSu+
=fcm0
-----END PGP SIGNATURE-----
pgpEpMU4hvif6.pgp
Description: PGP signature
--- End Message ---
