CVE-2024-1681

Publication date 19 April 2024

Last updated 24 July 2024

Ubuntu priority

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-flask-cors	24.04 LTS noble	Needs evaluation
	23.10 mantic	Ignored
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation

How can I get the fixes?
What do statuses mean?

Notes

sbeattie

seems unfixed upstream as of 2024-04-21

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-1681
https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644