CVE-2024-6221: Improper Access Control in corydolphin/flask-cors
First published: Sun Aug 18 2024(Updated: )
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.
Credit: security@huntr.dev security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Flask-Cors | <4.0.2 | 4.0.2 |
| Flask-CORS | =4.0.1 | |
| =4.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2024-6221
- https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-cors/PYSEC-2024-71.yaml
- https://github.com/corydolphin/flask-cors/issues/362
- https://github.com/corydolphin/flask-cors/pull/363
- https://github.com/corydolphin/flask-cors/pull/368
- https://github.com/corydolphin/flask-cors/commit/c8514760cf03fcce16d77f6db7007aad429c4548
- https://github.com/corydolphin/flask-cors/releases
- https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec
- https://github.com/advisories/GHSA-hxwh-jpp2-84pm (Advisory)
- https://github.com/corydolphin/flask-cors/commit/03aa3f8e2256437f7bad96422a747b98ab5e31bf
Frequently Asked Questions
What is the severity of CVE-2024-6221?
CVE-2024-6221 has a high severity level due to the risk of unauthorized access to private network resources.
How do I fix CVE-2024-6221?
To fix CVE-2024-6221, upgrade Flask-Cors to version 4.0.2 or later.
What systems are affected by CVE-2024-6221?
CVE-2024-6221 specifically affects Flask-Cors version 4.0.1.
What vulnerabilities does CVE-2024-6221 introduce?
CVE-2024-6221 introduces the risk of exposing private network resources due to a misconfigured CORS header.
What can happen if I do not address CVE-2024-6221?
If not addressed, CVE-2024-6221 can lead to unauthorized external access to sensitive network resources.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/author
- agent/severity
- agent/event
- collector/github-advisory
- source/GitHub
- alias/GHSA-hxwh-jpp2-84pm
- alias/CVE-2024-6221
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/description
- agent/tags
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- agent/last-modified-date
- collector/nvd-cve
- package-manager/pip
- vendor/corydolphin
- canonical/flask-cors
- version/flask-cors/4.0.1