Stay Secure with the Latest Linux Advisories

security advisoryDebianlog injection

Debian 11: DLA-4197-1 critical: python-flask-cors risks with log injection

Multiple security issues were discovered in Flask-CORS, a Flask extension for handling Cross Origin Resource Sharing (CORS). CVE-2024-1681 . ------------------------------------------------------------------------- Debian LTS Advisory DLA-4197-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Daniel Leidert May 31, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-flask-cors Version : 3.0.9-2+deb11u1 CVE ID : CVE-2024-1681 CVE-2024-6839 CVE-2024-6844 CVE-2024-6866 Debian Bug : 1069764 1100988 Multiple security issues were discovered in Flask-CORS, a Flask extension for handling Cross Origin Resource Sharing (CORS). CVE-2024-1681 Due to a log injection vulnerability when the log level is set to debug, an attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. CVE-2024-6839 An improper regex path matching vulnerability due to prioritizing longer regex patterns over more specific ones when matching paths, can lead to less restrictive CORS policies being applied to sensitive endpoints. CVE-2024-6844 An inconsistent CORS matching due to the handling of the '+' character in URL paths leads to incorrect path normalization, causing potential mismatches in CORS configuration. CVE-2024-6866 The request path matching is case-insensitive. This results in a mismatch because paths in URLs are case-sensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted. For Debian 11 bullseye, these problems have been fixed in version 3.0.9-2+deb11u1. We recommend that you upgrade your python-flask-cors packages. For the detailed security status of python-flask-corsplease refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/python-flask-cors Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . When deploying Flask apps with Flask-CORS on Debian, prioritize security by configuring access controls and HTTPS to prevent vulnerabilities and attacks. Debian Security Update, Flask-CORS Issues, Security Enhancement, CORS Vulnerability Management. . Severity: Critical. LinuxSecurity.com Team

May 31, 2025 •Critical Debian LTS