Log Injection Affecting flask-cors package, versions [0,]
Snyk CVSS
Attack Complexity
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.04% (9th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-FLASKCORS-6670412
- published 22 Apr 2024
- disclosed 19 Apr 2024
- credit Elias Hohl
Introduced: 19 Apr 2024
New CVE-2024-1681 Open this link in a new tabHow to fix?
There is no fixed version for Flask-Cors
.
Overview
Flask-Cors is an A Flask extension adding a decorator for CORS support
Affected versions of this package are vulnerable to Log Injection when the log level is set to debug. A user can inject or modify messages by abusing CRLF sequences in the request path of a GET request.
PoC
http://127.0.0.1:5000/api/test%0D%0A%0D%0ALOGINJECTION%0D%0A%0D%0A