Safety vulnerability ID: 70624
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of the flask-cors package are vulnerable to Improper Output Neutralization for Logs due to unsanitized request path values being written to the debug logger. In flask_cors.extension.CORS, request.path is logged via LOG.debug without normalizing or escaping CRLF characters when DEBUG logging is enabled, as evidenced by the logging site in extension.py and the fix that cleans request.path before logging.
Latest version: 6.0.1
A Flask extension simplifying CORS support
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs. See CVE-2024-1681.
MISC:https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application