An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows …/ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CPE | Name | Operator | Version |
---|---|---|---|
flask-cors | eq | 1.3.0 | |
flask-cors | eq | 1.9.0 | |
flask-cors | eq | 1.7.4 | |
flask-cors | eq | 1.2.1 | |
flask-cors | eq | 2.0.0 | |
flask-cors | eq | 1.10.3 | |
flask-cors | eq | 2.1.1 | |
flask-cors | eq | 2.1.3 | |
flask-cors | eq | 3.0.1 | |
flask-cors | eq | 1.3.1 |
lists.opensuse.org/opensuse-security-announce/2020-09/msg00028.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00032.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00039.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00048.html
github.com/corydolphin/flask-cors/releases/tag/3.0.9
www.debian.org/security/2020/dsa-4775