CVE-2024-6221

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@huntr_aiCNA
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
VendorProductVersion
corydolphinflask-cors
4.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-flask-cors
bullseye
postponed
bookworm
postponed
trixie
5.0.1-1
fixed
sid
6.0.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-flask-cors
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
jammy
needs-triage
focal
needs-triage
Common Weakness Enumeration
References
https://github.com/corydolphin/flask-cors/commit/03aa3f8e2256437f7bad96422a747b98ab5e31bf
https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d