Source: python-flask-cors Version: 4.0.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/corydolphin/flask-cors/issues/337 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-flask-cors. CVE-2024-6221[0]: | A vulnerability in corydolphin/flask-cors version 4.0.1 allows the | `Access-Control-Allow-Private-Network` CORS header to be set to true | by default, without any configuration option. This behavior can | expose private network resources to unauthorized external access, | leading to significant security risks such as data breaches, | unauthorized access to sensitive information, and potential network | intrusions. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6221 https://www.cve.org/CVERecord?id=CVE-2024-6221 [1] https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d [2] https://github.com/corydolphin/flask-cors/issues/337 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
