search

AdamOswald / Huggingface-Space

1 stars 3 forks source link

Flask_Cors-3.0.10-py2.py3-none-any.whl: 2 vulnerabilities (highest severity is: 7.5) #102

Open mend-bolt-for-github[bot] opened 7 months ago

mend-bolt-for-github[bot] commented 7 months ago
Vulnerable Library - Flask_Cors-3.0.10-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/db/84/901e700de86604b1c4ef4b57110d4e947c218b9997adf5d38fa7da493bce/Flask_Cors-3.0.10-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Flask_Cors version) Remediation Possible**
CVE-2024-6221 High 7.5 Flask_Cors-3.0.10-py2.py3-none-any.whl Direct 4.0.2
CVE-2024-1681 Medium 5.3 Flask_Cors-3.0.10-py2.py3-none-any.whl Direct flask-cors - 4.0.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-6221 ### Vulnerable Library - Flask_Cors-3.0.10-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/db/84/901e700de86604b1c4ef4b57110d4e947c218b9997adf5d38fa7da493bce/Flask_Cors-3.0.10-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **Flask_Cors-3.0.10-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

### Vulnerability Details

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Publish Date: 2024-08-18

URL: CVE-2024-6221

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hxwh-jpp2-84pm

Release Date: 2024-08-18

Fix Resolution: 4.0.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-1681 ### Vulnerable Library - Flask_Cors-3.0.10-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/db/84/901e700de86604b1c4ef4b57110d4e947c218b9997adf5d38fa7da493bce/Flask_Cors-3.0.10-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **Flask_Cors-3.0.10-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c

Found in base branch: main

### Vulnerability Details

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Publish Date: 2024-04-19

URL: CVE-2024-1681

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-84pr-m4jr-85g5

Release Date: 2024-04-19

Fix Resolution: flask-cors - 4.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
secure-code-warrior-for-github[bot] commented 7 months ago

Micro-Learning Topic: Log injection (Detected by phrase)

Matched on "log injection"

What is this? (2min video)

The Log Forging vulnerability is caused by writing unvalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs.

Try a challenge in Secure Code Warrior

Helpful references
  • OWASP Log Forging - OWASP community page with comprehensive information about log forging, and links to various OWASP resources to help detect or prevent it.

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Library"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try a challenge in Secure Code Warrior