Medium

flask-cors

Case-Insensitive Path Matching Leading to CORS Misconfiguration

The vulnerability affects version 4.01 of the software and allows unauthorized origins to access restricted paths due to case-insensitive path matching in the CORS configuration. This issue has not yet been patched.

Available publicly on Aug 28 2024

5.3

CVE:

CVE-2024-6866

CWE:

178:Improper Handling of Case Sensitivity

CVSS:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Credit:

tomorroisnew
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update the try_match function to perform case-sensitive matching for request paths.
  • Review and update CORS configurations to ensure they correctly enforce security policies.
  • Test the application to verify that the CORS policy is correctly enforced for all paths.
  • Monitor for any unauthorized access attempts and review logs for potential exploitation.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.