chore(deps): update dependency flask-cors to v6 [security]#68
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency flask-cors to v6 [security]#68renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-flask-cors-vulnerability
branch
from
0108fac to
5e16f04
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-flask-cors-vulnerability
branch
from
5e16f04 to
e076b49
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-cors-vulnerability
branch
from
e076b49 to
535d923
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-flask-cors-vulnerability
branch
2 times, most recently
from
535d923 to
e44603c
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-flask-cors-vulnerability
branch
2 times, most recently
from
e44603c to
41585c9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.0.8→==6.0.0Flask-Cors Directory Traversal vulnerability
CVE-2020-25032 / GHSA-xc3p-ff3m-f46v
More information
Details
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows
../directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
flask-cors vulnerable to log injection when the log level is set to debug
CVE-2024-1681 / GHSA-84pr-m4jr-85g5
More information
Details
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Flask-CORS allows the
Access-Control-Allow-Private-NetworkCORS header to be set to true by defaultCVE-2024-6221 / GHSA-hxwh-jpp2-84pm
More information
Details
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the
Access-Control-Allow-Private-NetworkCORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Flask-CORS allows for inconsistent CORS matching
CVE-2024-6844 / GHSA-8vgw-p6qm-5gr7
More information
Details
A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Flask-CORS vulnerable to Improper Handling of Case Sensitivity
CVE-2024-6866 / GHSA-43qf-4rqw-9q2g
More information
Details
corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the
try_matchfunction, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.Severity
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Flask-CORS improper regex path matching vulnerability
CVE-2024-6839 / GHSA-7rxf-gvfg-47g4
More information
Details
corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
corydolphin/flask-cors (Flask-Cors)
v6.0.0Compare Source
Breaking
Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.
What's Changed
Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0
v5.0.1Compare Source
What's Changed
This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements
New Contributors
Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01
v5.0.0Compare Source
What's Changed
This effectively resolves GHSA-hxwh-jpp2-84pm https://osv.dev/vulnerability/PYSEC-2024-71
Full Changelog: corydolphin/flask-cors@4.0.2...5.0.0
v4.0.2Compare Source
What's Changed
New Contributors
Full Changelog: corydolphin/flask-cors@4.0.1...4.0.2
v4.0.1Compare Source
Security
v4.0.0Compare Source
v3.0.10Compare Source
Adds support for PPC64 and ARM64 builds for distribution. Thanks @sreekanth370
v3.0.9Compare Source
Security
evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for
"/api/*" whereas the path actually expands simply to "/foo.txt"
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.