Source: python-flask-cors X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for python-flask-cors. CVE-2024-6866[0]: | corydolphin/flask-cors version 4.01 contains a vulnerability where | the request path matching is case-insensitive due to the use of the | `try_match` function, which is originally intended for matching | hosts. This results in a mismatch because paths in URLs are case- | sensitive, but the regex matching treats them as case-insensitive. | This misconfiguration can lead to significant security | vulnerabilities, allowing unauthorized origins to access paths meant | to be restricted, resulting in data exposure and potential data | leaks. https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 CVE-2024-6844[1]: | A vulnerability in corydolphin/flask-cors version 4.0.1 allows for | inconsistent CORS matching due to the handling of the '+' character | in URL paths. The request.path is passed through the unquote_plus | function, which converts the '+' character to a space ' '. This | behavior leads to incorrect path normalization, causing potential | mismatches in CORS configuration. As a result, endpoints may not be | matched correctly to their CORS settings, leading to unexpected CORS | policy application. This can cause unauthorized cross-origin access | or block valid requests, creating security vulnerabilities and | usability issues. https://huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0 CVE-2024-6839[2]: | corydolphin/flask-cors version 4.0.1 contains an improper regex path | matching vulnerability. The plugin prioritizes longer regex patterns | over more specific ones when matching paths, which can lead to less | restrictive CORS policies being applied to sensitive endpoints. This | mismatch in regex pattern priority allows unauthorized cross-origin | access to sensitive data or functionality, potentially exposing | confidential information and increasing the risk of unauthorized | actions by malicious actors. https://huntr.com/bounties/403eb1fc-86f4-4820-8eba-0f3dfae9f2b4 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6866 https://www.cve.org/CVERecord?id=CVE-2024-6866 [1] https://security-tracker.debian.org/tracker/CVE-2024-6844 https://www.cve.org/CVERecord?id=CVE-2024-6844 [2] https://security-tracker.debian.org/tracker/CVE-2024-6839 https://www.cve.org/CVERecord?id=CVE-2024-6839 Please adjust the affected versions in the BTS as needed.
