Closed renovate-bot closed 1 month ago
This PR was marked stale due to lack of activity. It will be closed in 7 days.
Closed as inactive. Feel free to reopen if this PR is still being worked on.
Because you closed this PR without merging, Renovate will ignore this update (==4.0.1
). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps
array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
==4.0.0
->==4.0.1
GitHub Vulnerability Alerts
CVE-2024-1681
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.
Release Notes
corydolphin/flask-cors (flask-cors)
### [`v4.0.1`](https://togithub.com/corydolphin/flask-cors/blob/HEAD/CHANGELOG.md#401) [Compare Source](https://togithub.com/corydolphin/flask-cors/compare/4.0.0...4.0.1) ##### Security - Address [CVE-2024-1681](https://togithub.com/advisories/GHSA-84pr-m4jr-85g5) which is a log injection vulnerability when the log level is set to debug by [@aneshujevic](https://togithub.com/aneshujevic) in [https://github.com/corydolphin/flask-cors/pull/351](https://togithub.com/corydolphin/flask-cors/pull/351)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.