Lucene search
HistoryJan 08, 2024 - 2:15 p.m.
CVE-2024-21644
pyload
download manager
secret key
flask config
unauthenticated user
patched
version 0.5.0b3.dev77
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.118 Low
EPSS
Percentile
95.3%
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRET_KEY variable. This issue has been patched in version 0.5.0b3.dev77.
Affected configurations
Node
pyloadpyloadRange≤0.4.9
ORpyloadpyloadMatch0.5.0beta1
ORpyloadpyloadMatch0.5.0beta2
Related
cvelist
cvelist
CVE-2024-21644 pyLoad unauthenticated flask configuration leakage
2024-01-08 13:20:55
osv
osv
CVE-2024-21644
2024-01-08 14:15:47
pyload Unauthenticated Flask Configuration Leakage vulnerability
2024-01-08 15:40:39
cve
cve
CVE-2024-21644
2024-01-08 14:15:47
nuclei
nuclei
pyLoad Flask Config - Access Control
2024-01-29 16:33:24
githubexploit
githubexploit
Exploit for Improper Access Control in Pyload
2024-03-30 01:00:31
veracode
veracode
Information Disclosure
2024-01-09 06:36:14
github
github
pyload Unauthenticated Flask Configuration Leakage vulnerability
2024-01-08 15:40:39
prion
prion
Design/Logic Flaw
2024-01-08 14:15:00
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.118 Low
EPSS
Percentile
95.3%
Related for NVD:CVE-2024-21644