CVE-2024-1681
Published: 19 April 2024
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.
Notes
| Author | Note |
|---|---|
| sbeattie | seems unfixed upstream as of 2024-04-21 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-flask-cors Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
| jammy |
Needs triage
|
|
| mantic |
Needs triage
|
|
| noble |
Needs triage
|
|
| upstream |
Needs triage
|