CVE-2024-6221

HIGH

corydolphin/flask-cors 4.0.1 - Info Disclosure

Title source: llm

Description

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d

Patch

https://github.com/corydolphin/flask-cors/commit/03aa3f8e2256437f7bad96422a747b98ab5e31bf

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0064

EPSS Percentile 70.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (2)

corydolphin/flask-cors 4.0.1

pypi/Flask-Cors 0 - 4.0.2PyPI

Published Aug 18, 2024

Tracked Since Feb 18, 2026