An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../
directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CPE | Name | Operator | Version |
---|---|---|---|
flask-cors | eq | 1.10.2 | |
flask-cors | eq | 3.0.3 | |
flask-cors | eq | 1.10.1 | |
flask-cors | eq | 3.0.7 | |
flask-cors | eq | 3.0.2 | |
flask-cors | eq | 2.1.2 | |
flask-cors | eq | 1.7.0 | |
flask-cors | eq | 3.0.4 | |
flask-cors | eq | 1.9.0 | |
flask-cors | eq | 1.1.3 |
lists.opensuse.org/opensuse-security-announce/2020-09/msg00028.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00032.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00039.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00048.html
github.com/corydolphin/flask-cors
github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
github.com/corydolphin/flask-cors/releases/tag/3.0.9
nvd.nist.gov/vuln/detail/CVE-2020-25032
www.debian.org/security/2020/dsa-4775