search

opensearch-project / opentelemetry-demo

This repository contains the OpenSearch adaptation for the OpenTelemetry Astronomy Shop, a microservice-based distributed system intended to illustrate the implementation of OpenTelemetry in a near real-world environment.
https://opentelemetry.io/docs/demo/
Apache License 2.0
17 stars 17 forks source link

Flask_Cors-4.0.0-py2.py3-none-any.whl: 2 vulnerabilities (highest severity is: 7.5) - autoclosed #127

Closed mend-for-github-com[bot] closed 1 week ago

mend-for-github-com[bot] commented 6 months ago
Vulnerable Library - Flask_Cors-4.0.0-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/10/69/1e6cfb87117568a9de088c32d6258219e9d1ff7c131abf74249ef2031279/Flask_Cors-4.0.0-py2.py3-none-any.whl

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20241106183659_MRHJRB/python_UHWWZK/202411061841521/env/lib/python3.8/site-packages/Flask_Cors-4.0.0.dist-info

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Flask_Cors version) Remediation Possible**
CVE-2024-6221 High 7.5 Flask_Cors-4.0.0-py2.py3-none-any.whl Direct flask-cors - 4.0.2
CVE-2024-1681 Medium 5.3 Flask_Cors-4.0.0-py2.py3-none-any.whl Direct flask-cors - 4.0.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-6221 ### Vulnerable Library - Flask_Cors-4.0.0-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/10/69/1e6cfb87117568a9de088c32d6258219e9d1ff7c131abf74249ef2031279/Flask_Cors-4.0.0-py2.py3-none-any.whl

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20241106183659_MRHJRB/python_UHWWZK/202411061841521/env/lib/python3.8/site-packages/Flask_Cors-4.0.0.dist-info

Dependency Hierarchy: - :x: **Flask_Cors-4.0.0-py2.py3-none-any.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Publish Date: 2024-08-18

URL: CVE-2024-6221

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hxwh-jpp2-84pm

Release Date: 2024-08-18

Fix Resolution: flask-cors - 4.0.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-1681 ### Vulnerable Library - Flask_Cors-4.0.0-py2.py3-none-any.whl

A Flask extension adding a decorator for CORS support

Library home page: https://files.pythonhosted.org/packages/10/69/1e6cfb87117568a9de088c32d6258219e9d1ff7c131abf74249ef2031279/Flask_Cors-4.0.0-py2.py3-none-any.whl

Path to dependency file: /src/loadgenerator/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20241106183659_MRHJRB/python_UHWWZK/202411061841521/env/lib/python3.8/site-packages/Flask_Cors-4.0.0.dist-info

Dependency Hierarchy: - :x: **Flask_Cors-4.0.0-py2.py3-none-any.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Publish Date: 2024-04-19

URL: CVE-2024-1681

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-84pr-m4jr-85g5

Release Date: 2024-04-19

Fix Resolution: flask-cors - 4.0.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

dblock commented 4 months ago

Catch All Triage - 1 2 3 4 5 6

mend-for-github-com[bot] commented 1 week ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.