​
DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-1681

Published

Last updated

https://nvd.nist.gov/vuln/detail/CVE-2024-1681

Severity

5.3

Medium

CVSS V3

Summary

flask-cors vulnerable to log injection when the log level is set to debug

Description

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

References

  • https://github.com/advisories/GHSA-84pr-m4jr-85g5
  • https://nvd.nist.gov/vuln/detail/CVE-2024-1681
  • https://github.com/corydolphin/flask-cors
  • https://github.com/corydolphin/flask-cors/blob/40acc8092332dfed4bb54d7a4f89a6d479466de7/flask_cors/extension.py#L194
  • https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644

Affected packages

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Chainguard Images

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customer StoriesChainguard Love

About UsOpen SourceCareersNewsroomLegal

Unchained BlogResearchEventsTrust CenterDocumentation