Medium

flask-cors

Regex Path Matching Vulnerability in CORS Policy

A vulnerability in version 4.0.1 of the flask-cors plugin allows less restrictive CORS policies to be applied to sensitive endpoints due to improper sorting of regex patterns. This issue was patched in a later version.

Available publicly on Aug 29 2024

4.3

CVE:

CVE-2024-6839

CWE:

41:Improper Resolution of Path Equivalence

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Credit:

tomorroisnew
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to the latest version of flask-cors where the issue has been patched.
  • Review and test CORS policy configurations to ensure that specific and restrictive patterns are correctly prioritized.
  • Consider using explicit path definitions instead of regex patterns for highly sensitive endpoints to avoid ambiguity.
  • Monitor application logs for any unauthorized access attempts and adjust CORS policies as necessary.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.