search

GoogleCloudPlatform / opentelemetry-demo

Apache License 2.0
11 stars 6 forks source link

Update dependency flask-cors to v4.0.1 [SECURITY] #73

Closed renovate-bot closed 1 month ago

renovate-bot commented 1 month ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
flask-cors ==4.0.0 -> ==4.0.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-1681

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Release Notes

corydolphin/flask-cors (flask-cors) ### [`v4.0.1`](https://togithub.com/corydolphin/flask-cors/blob/HEAD/CHANGELOG.md#401) [Compare Source](https://togithub.com/corydolphin/flask-cors/compare/4.0.0...4.0.1) ##### Security - Address [CVE-2024-1681](https://togithub.com/advisories/GHSA-84pr-m4jr-85g5) which is a log injection vulnerability when the log level is set to debug by [@​aneshujevic](https://togithub.com/aneshujevic) in [https://github.com/corydolphin/flask-cors/pull/351](https://togithub.com/corydolphin/flask-cors/pull/351)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

github-actions[bot] commented 1 month ago

This PR was marked stale due to lack of activity. It will be closed in 7 days.

github-actions[bot] commented 1 month ago

Closed as inactive. Feel free to reopen if this PR is still being worked on.

forking-renovate[bot] commented 1 month ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==4.0.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.