-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Who to contact for security issues #341
Comments
Hey @corydolphin , FYI we've received 2 vulnerability reports on Huntr.com related to this project. We've received them on May 13 and will be publishing them on June 30th unless we're able to get in touch with you. Thanks |
Hi @corydolphin, my https://data.safetycli.com/v/70813/97c-> Vulnerability found in flask-cors version 4.0.0
Vulnerability ID: 70813
Affected spec: <4.0.1
ADVISORY: Flask-cors 4.0.1 addresses the CVE-2024-1681:
corydolphin/flask-cors is vulnerable to log injection when the log level
is set to debug. An attacker can inject fake log entries into the log file
by sending a specially crafted GET request containing a CRLF sequence in
the request path. This vulnerability allows attackers to corrupt log
files, potentially covering tracks of other attacks, confusing log post-
processing tools, and forging log entries. The issue is due to improper
output neutralization for logs.
CVE-2024-1681
For more information about this vulnerability, visit
https://data.safetycli.com/v/70813/97c
To ignore this vulnerability, use PyUp vulnerability id 70813 in safety’s
ignore command-line argument or add the ignore to your safety policy file. https://data.safetycli.com/v/70624/97c-> Vulnerability found in flask-cors version 4.0.0
Vulnerability ID: 70624
Affected spec: >0
ADVISORY: corydolphin/flask-cors is vulnerable to log injection
when the log level is set to debug. An attacker can inject fake log
entries into the log file by sending a specially crafted GET request
containing a CRLF sequence in the request path. This vulnerability allows
attackers to corrupt log files, potentially covering tracks of other
attacks, confusing log post-processing tools, and forging log entries. The
issue is due to improper output neutralization for logs. See
CVE-2024-1681.
CVE-2024-1681
For more information about this vulnerability, visit
https://data.safetycli.com/v/70624/97c
To ignore this vulnerability, use PyUp vulnerability id 70624 in safety’s
ignore command-line argument or add the ignore to your safety policy file. |
@corydolphin Was this vulnerability fully corrected in 4.0.1? For the two entries at safetycli.com linked by @git-thor, they have nearly identical text but one lists the vulnerability as corrected in 4.0.1 while the other has no fix version and considers the latest 5.0.0 as still vulnerable. |
Hi @corydolphin the vulnerability resported by safetycli.com (CVE-2024-6221) seems to affect all versions of Flask-cors. Do you have any recommendation, or plans to work on it? Best! |
Hello 👋
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@ehtec) has found a potential issue, which I would be eager to share with you.
Could you add a
SECURITY.md
file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.Looking forward to hearing from you 👍
(cc @huntr-helper)
The text was updated successfully, but these errors were encountered: