SB2025070342 - Ubuntu update for python-flask-cors

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025070342

SB2025070342 - Ubuntu update for python-flask-cors

Published: July 3, 2025

Security Bulletin ID SB2025070342
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 80% 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Security features bypass (CVE-ID: CVE-2024-6839)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper regex path matching. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. A remote attacker can gain unauthorized cross-origin access to sensitive data or functionality.


2) Information disclosure (CVE-ID: CVE-2024-6221)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application within the "Access-Control-Allow-Private-Network" CORS header. A remote attacker can gain unauthorized access to sensitive information on the system.


3) Improper Handling of Case Sensitivity (CVE-ID: CVE-2024-6866)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of a case sensitive try_match() function on the attacker-controlled URI. A remote attacker can bypass implemented security checks and gain unauthorized access to sensitive data. 



4) Input validation error (CVE-ID: CVE-2024-6844)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of special characters in URL. A remote attacker can bypass applied CORS restrictions and gain unauthorized access to the application. 


5) Improper Output Neutralization for Logs (CVE-ID: CVE-2024-1681)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to excessive data output by the application. A remote attacker can send a specially crafted GET request containing a CRLF sequence in the request path to inject fake log entries into the log file.


Remediation

Install update from vendor's website.

References