HIGH🇬🇧 English

CVE-2024-6866

CVSS 7.5v3.1pub. 2025-03-20upd. 2025-11-03

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Flask Cors Project Flask Cors

    APP
    Flask-Cors Project
    4.0.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2020-25032HIGH7.5ten sam produkt

An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory tr...

CVE-2024-6839MEDIUM5.3ten sam produkt

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin priori...

CVE-2024-6844MEDIUM5.3ten sam produkt

A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handl...