Comments (2)
Hey @corydolphin , FYI we've received 2 vulnerability reports on Huntr.com related to this project. We've received them on May 13 and will be publishing them on June 30th unless we're able to get in touch with you.
Thanks
from flask-cors.
Hi @corydolphin, my python-safety
run reports the following:
https://data.safetycli.com/v/70813/97c
-> Vulnerability found in flask-cors version 4.0.0
Vulnerability ID: 70813
Affected spec: <4.0.1
ADVISORY: Flask-cors 4.0.1 addresses the CVE-2024-1681:
corydolphin/flask-cors is vulnerable to log injection when the log level
is set to debug. An attacker can inject fake log entries into the log file
by sending a specially crafted GET request containing a CRLF sequence in
the request path. This vulnerability allows attackers to corrupt log
files, potentially covering tracks of other attacks, confusing log post-
processing tools, and forging log entries. The issue is due to improper
output neutralization for logs.
CVE-2024-1681
For more information about this vulnerability, visit
https://data.safetycli.com/v/70813/97c
To ignore this vulnerability, use PyUp vulnerability id 70813 in safety’s
ignore command-line argument or add the ignore to your safety policy file.
https://data.safetycli.com/v/70624/97c
-> Vulnerability found in flask-cors version 4.0.0
Vulnerability ID: 70624
Affected spec: >0
ADVISORY: corydolphin/flask-cors is vulnerable to log injection
when the log level is set to debug. An attacker can inject fake log
entries into the log file by sending a specially crafted GET request
containing a CRLF sequence in the request path. This vulnerability allows
attackers to corrupt log files, potentially covering tracks of other
attacks, confusing log post-processing tools, and forging log entries. The
issue is due to improper output neutralization for logs. See
CVE-2024-1681.
CVE-2024-1681
For more information about this vulnerability, visit
https://data.safetycli.com/v/70624/97c
To ignore this vulnerability, use PyUp vulnerability id 70624 in safety’s
ignore command-line argument or add the ignore to your safety policy file.
from flask-cors.
Related Issues (20)
- enforcing same origin policy with flask-cors HOT 14
- Next.JS API Call to Flask API POST Endpoint - `Access-Control-Allow-Credentials` is not set properly
- Package prints unexpected DEBUG messages when app runs HOT 2
- Unknown keyword arguments silently ignored HOT 2
- Want to know the next version update time. HOT 1
- Project is dead? HOT 2
- CORS partially fails when making requests with axios in React HOT 3
- Access to fetch at 'http://127.0.0.1:5000/account/summary' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. HOT 2
- v4.0.0 isn't in CHANGELOG.md HOT 1
- two releases 4.0.0 and v4.0.0 HOT 2
- All private network requests unintentionally allowed
- Random Access-Control-Allow-Origin value being returned if Origin request header is not provided HOT 1
- The `4.0.0` release is incorrectly marked as supporting Python 2
- appropriate citation for the module? HOT 3
- python 3.12 HOT 2
- CORS issue
- Read the Docs is configured to build from a non-existent branch HOT 2
- CVE-2024-1681 response/patching HOT 2
- Security Issue CVE-2024-1681 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-cors.