Log Injection Affecting flask-cors package, versions [,4.0.1)


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Log Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-FLASKCORS-6670412
  • published22 Apr 2024
  • disclosed19 Apr 2024
  • creditElias Hohl

Introduced: 19 Apr 2024

CVE-2024-1681  (opens in a new tab)
CWE-117  (opens in a new tab)

How to fix?

Upgrade Flask-Cors to version 4.0.1 or higher.

Overview

Flask-Cors is an A Flask extension adding a decorator for CORS support

Affected versions of this package are vulnerable to Log Injection when the log level is set to debug. A user can inject or modify messages by abusing CRLF sequences in the request path of a GET request.

PoC

http://127.0.0.1:5000/api/test%0D%0A%0D%0ALOGINJECTION%0D%0A%0D%0A

CVSS Scores

version 3.1