PT-2020-5746 · Flask+3 · Flask-Cors+3

Published

2020-08-31

Updated

2024-07-12

CVE-2020-25032

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: Flask-CORS versions prior to 3.0.9

Description: The issue is related to incorrect path naming checks in the Flask-CORS extension for handling resource sharing between sources. This allows a remote attacker to access private resources by exploiting the directory traversal vulnerability, as the resource matching does not ensure pathnames are in a canonical format. The vulnerability can be exploited to gain access to confidential data.

Recommendations: For versions prior to 3.0.9, update to version 3.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-1188

Related Identifiers

BDU:2021-01702

CVE-2020-25032

DSA-4775-1

GHSA-XC3P-FF3M-F46V

OPENSUSE-SU-2020:1393-1

OPENSUSE-SU-2020:1415-1

OPENSUSE-SU-2020:1423-1

OPENSUSE-SU-2020:1446-1

OPENSUSE-SU-2020_1393-1

OPENSUSE-SU-2024:11206-1

OPENSUSE-SU-2024:14129-1

PYSEC-2020-43

SUSE-SU-2020:2876-1

SUSE-SU-2020:3309-1

USN-6019-1

Affected Products

Flask-Cors

Linuxmint

Suse

Ubuntu

PT-2020-5746 · Flask+3 · Flask-Cors+3

CVE-2020-25032

Weakness Enumeration

Related Identifiers

Affected Products

References · 151