flask_cors is vulnerable to directory traversal. The vulnerability exists as it does not sufficiently handle the pathnames for CORS resource matching before evaluating resource rules, allowing an attacker to submit a malicious pathname containing the ../
characters and access arbitrary system files.
CPE | Name | Operator | Version |
---|---|---|---|
flask-cors | le | 3.0.8 | |
flask-cors | le | 3.0.8 |
lists.opensuse.org/opensuse-security-announce/2020-09/msg00028.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00032.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00039.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00048.html
github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
github.com/corydolphin/flask-cors/releases/tag/3.0.9
www.debian.org/security/2020/dsa-4775