[Snyk:Low] Flask-cors Log Injection LOCUST (Due: 07/23/2024) #5807

cnlucas · 2024-04-24T17:18:44Z

Introduced through
locust@2.14.2

Exploit maturity
Proof of Concept

Detailed paths

Introduced through: project@0.0.0 › locust@2.14.2 › flask-cors@4.0.0
Fix: No remediation path available.

Security information
Factors contributing to the scoring:

Snyk: [CVSS 3.1](https://security.snyk.io/vuln/SNYK-PYTHON-FLASKCORS-6670412) - Low Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Flask-Cors is an A Flask extension adding a decorator for CORS support

Affected versions of this package are vulnerable to Log Injection when the log level is set to debug. A user can inject or modify messages by abusing CRLF sequences in the request path of a GET request.

The text was updated successfully, but these errors were encountered:

cnlucas added Security: low Remediate within 90 days Security: general General security concern or issue labels Apr 24, 2024

cnlucas added this to the 25.5 milestone Apr 24, 2024

cnlucas mentioned this issue Apr 24, 2024

Check logs Sprint 24.i Week 1 #5795

Closed

2 tasks

This was referenced May 1, 2024

Check logs Sprint 24.i Week 2 #5796

Closed

Check logs Sprint 24.i Week 3 #5797

Closed

This was referenced May 16, 2024

Check logs Sprint 25.1 Week 1 #5820

Closed

Check logs Sprint 25.1 Week 2 #5821

Closed

tmpayton mentioned this issue May 29, 2024

Check logs Sprint 25.2 Week 1 #5843

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk:Low] Flask-cors Log Injection LOCUST (Due: 07/23/2024) #5807

[Snyk:Low] Flask-cors Log Injection LOCUST (Due: 07/23/2024) #5807

cnlucas commented Apr 24, 2024

[Snyk:Low] Flask-cors Log Injection LOCUST (Due: 07/23/2024) #5807

[Snyk:Low] Flask-cors Log Injection LOCUST (Due: 07/23/2024) #5807

Comments

cnlucas commented Apr 24, 2024