{"id":"USN-7612-1","summary":"python-flask-cors vulnerabilities","details":"It was discovered that Flask-CORS did not correctly handle certain regular\nexpressions. A remote attacker could possibly use this issue to leak\nsensitive information or bypass authentication mechanisms. (CVE-2024-6839)\nIt was discovered that Flask-CORS allowed certain CORS headers to be\nenabled by default. A remote attacker could possibly use this issue to leak\nsensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu\n22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-6221)  It was\ndiscovered that Flask-CORS did not correctly handle case sensitivity when\nmatching paths. A remote attacker could possibly use this issue to leak\nsensitive information. (CVE-2024-6866)  It was discovered that Flask-CORS\ndid not correctly handle certain characters in URL paths. A remote attacker\ncould possibly use this issue to leak sensitive information or bypass\nauthentication mechanisms. (CVE-2024-6844)  Elias Hohl was discovered that\nFlask-CORS did not correctly sanitize log entries. A remote attacker could\npossibly use this issue to corrupt log files. This issue only affected\nUbuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-1681)","modified":"2026-02-10T04:49:33Z","published":"2025-07-02T04:59:38Z","related":["UBUNTU-CVE-2024-1681","UBUNTU-CVE-2024-6221","UBUNTU-CVE-2024-6839","UBUNTU-CVE-2024-6844","UBUNTU-CVE-2024-6866"],"upstream":["CVE-2024-1681","CVE-2024-6221","CVE-2024-6839","CVE-2024-6844","CVE-2024-6866","UBUNTU-CVE-2024-1681","UBUNTU-CVE-2024-6221","UBUNTU-CVE-2024-6839","UBUNTU-CVE-2024-6844","UBUNTU-CVE-2024-6866"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7612-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-1681"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-6221"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-6839"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-6844"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-6866"}],"affected":[{"package":{"name":"python-flask-cors","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-flask-cors@3.0.8-2ubuntu0.1+esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.8-2ubuntu0.1+esm1"}]}],"versions":["3.0.8-2","3.0.8-2ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.0.8-2ubuntu0.1+esm1","binary_name":"python3-flask-cors"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7612-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-1681"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6221"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6839"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6844"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6866"}]}}},{"package":{"name":"python-flask-cors","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/python-flask-cors@3.0.9-2ubuntu0.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.9-2ubuntu0.1"}]}],"versions":["3.0.9-2"],"ecosystem_specific":{"binaries":[{"binary_version":"3.0.9-2ubuntu0.1","binary_name":"python3-flask-cors"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7612-1.json","cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-1681"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6221"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6839"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6844"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6866"}]}}},{"package":{"name":"python-flask-cors","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/python-flask-cors@4.0.0-1ubuntu0.1~esm1?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.0-1ubuntu0.1~esm1"}]}],"versions":["4.0.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.0.0-1ubuntu0.1~esm1","binary_name":"python3-flask-cors"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7612-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:24.04:LTS","cves":[{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-1681"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6221"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6839"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6844"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-6866"}]}}}],"schema_version":"1.7.3"}