Debian 11: DLA-4197-1 critical: python-flask-cors risks with log injection
debian lts
May 31, 2025
Multiple security issues were discovered in Flask-CORS, a Flask extension for handling Cross Origin Resource Sharing (CORS)
Topics Covered
Summary
CVE-2024-1681
Due to a log injection vulnerability when the log level is set to
debug, an attacker can inject fake log entries into the log file by
sending a specially crafted GET request containing a CRLF sequence
in the request path.
CVE-2024-6839
An improper regex path matching vulnerability due to prioritizing
longer regex patterns over more specific ones when matching paths,
can lead to less restrictive CORS policies being applied to
sensitive endpoints.
CVE-2024-6844
An inconsistent CORS matching due to the handling of the '+'
character in URL paths leads to incorrect path normalization,
causing potential mismatches in CORS configuration.
CVE-2024-6866
The request path matching is case-insensitive. This results in a
mismatch because paths in URLs are case-sensitive. This
misconfiguration can lead to significant security vulnerabilities,
allowing unauthorized origins to access paths meant to be
restricted.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python-flask-cors
Version: 3.0.9-2+deb11u1
CVE ID: CVE-2024-1681 CVE-2024-6839 CVE-2024-6844 CVE-2024-6866
Debian Bug: 1069764 1100988
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!