Corydolphin Flask-Cors vulnerabilities

5 known vulnerabilities affecting corydolphin/corydolphin_flask-cors.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2024-6866HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-6866 [HIGH] CWE-178 CVE-2024-6866: corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration ca
cvelistv5nvd
CVE-2024-6844MEDIUMCVSS 5.3≥ unspecified, ≤ latest2025-03-20
CVE-2024-6844 [MEDIUM] CWE-346 CVE-2024-6844: A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS con
cvelistv5nvd
CVE-2024-6839MEDIUMCVSS 5.3≥ unspecified, ≤ latest2025-03-20
CVE-2024-6839 [MEDIUM] CWE-41 CVE-2024-6839: corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plu corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to s
cvelistv5nvd
CVE-2024-6221HIGHCVSS 7.5≥ unspecified, < 5.0.02024-08-18
CVE-2024-6221 [HIGH] CWE-284 CVE-2024-6221: A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Net A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential ne
cvelistv5nvd
CVE-2024-1681MEDIUMCVSS 5.3≥ unspecified, ≤ latest2024-04-19
CVE-2024-1681 [MEDIUM] CWE-117 CVE-2024-1681: corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacke corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing
cvelistv5nvd