CVE-2024-1681Improper Output Neutralization for Logs in Project Flask-cors

CWE-117Improper Output Neutralization for Logs9 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 60.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Flask-cors Project Flask-corsCorydolphin Flask-corsCorydolphin Flask-cors
Timeline
PublishedApr 19
Latest updateJul 2

Description

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

CVEListV5corydolphin/corydolphin_flask-corsunspecifiedlatest

🔴Vulnerability Details

6
GHSA
Taipy 3.1.1 affected by CVEs on flask-core and pymongo2024-08-27
OSV
Taipy 3.1.1 affected by CVEs on flask-core and pymongo2024-08-27
OSV
CVE-2024-1681: corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug2024-04-19
GHSA
flask-cors vulnerable to log injection when the log level is set to debug2024-04-19
CVEList
Log Injection Vulnerability in corydolphin/flask-cors2024-04-19

📋Vendor Advisories

2
Ubuntu
Flask-CORS vulnerabilities2025-07-02
Debian
CVE-2024-1681: python-flask-cors - corydolphin/flask-cors is vulnerable to log injection when the log level is set ...2024
CVE-2024-1681 — Improper Output Neutralization for Logs | cvebase