{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"High"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"python-Flask-Cors security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for python-Flask-Cors is now available for openEuler-24.03-LTS",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible.\n\nSecurity Fix(es):\n\nA vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.(CVE-2024-6221)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for python-Flask-Cors is now available for openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"High",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"python-Flask-Cors",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2024-2198",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2198"
			},
			{
				"summary":"CVE-2024-6221",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6221&packageName=python-Flask-Cors"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6221"
			},
			{
				"summary":"openEuler-SA-2024-2198 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-2198.json"
			}
		],
		"title":"An update for python-Flask-Cors is now available for openEuler-24.03-LTS",
		"tracking":{
			"initial_release_date":"2024-09-27T19:47:20+08:00",
			"revision_history":[
				{
					"date":"2024-09-27T19:47:20+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2024-09-27T19:47:20+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2024-09-27T19:47:20+08:00",
			"id":"openEuler-SA-2024-2198",
			"version":"1.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"openEuler-24.03-LTS",
									"name":"openEuler-24.03-LTS"
								},
								"name":"openEuler-24.03-LTS",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python-Flask-Cors-5.0.0-1.oe2403.src.rpm",
									"name":"python-Flask-Cors-5.0.0-1.oe2403.src.rpm"
								},
								"name":"python-Flask-Cors-5.0.0-1.oe2403.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python-Flask-Cors-help-5.0.0-1.oe2403.noarch.rpm",
									"name":"python-Flask-Cors-help-5.0.0-1.oe2403.noarch.rpm"
								},
								"name":"python-Flask-Cors-help-5.0.0-1.oe2403.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python3-Flask-Cors-5.0.0-1.oe2403.noarch.rpm",
									"name":"python3-Flask-Cors-5.0.0-1.oe2403.noarch.rpm"
								},
								"name":"python3-Flask-Cors-5.0.0-1.oe2403.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python-Flask-Cors-5.0.0-1.oe2403.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python-Flask-Cors-5.0.0-1.oe2403.src",
					"name":"python-Flask-Cors-5.0.0-1.oe2403.src as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python-Flask-Cors-help-5.0.0-1.oe2403.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python-Flask-Cors-help-5.0.0-1.oe2403.noarch",
					"name":"python-Flask-Cors-help-5.0.0-1.oe2403.noarch as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python3-Flask-Cors-5.0.0-1.oe2403.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python3-Flask-Cors-5.0.0-1.oe2403.noarch",
					"name":"python3-Flask-Cors-5.0.0-1.oe2403.noarch as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2024-6221",
			"notes":[
				{
					"text":"A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-24.03-LTS:python-Flask-Cors-5.0.0-1.oe2403.src",
					"openEuler-24.03-LTS:python-Flask-Cors-help-5.0.0-1.oe2403.noarch",
					"openEuler-24.03-LTS:python3-Flask-Cors-5.0.0-1.oe2403.noarch"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-24.03-LTS:python-Flask-Cors-5.0.0-1.oe2403.src",
						"openEuler-24.03-LTS:python-Flask-Cors-help-5.0.0-1.oe2403.noarch",
						"openEuler-24.03-LTS:python3-Flask-Cors-5.0.0-1.oe2403.noarch"
					],
					"details":"python-Flask-Cors security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2198"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":7.5,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
						"version":"3.1"
					},
					"products":[
						"openEuler-24.03-LTS:python-Flask-Cors-5.0.0-1.oe2403.src",
						"openEuler-24.03-LTS:python-Flask-Cors-help-5.0.0-1.oe2403.noarch",
						"openEuler-24.03-LTS:python3-Flask-Cors-5.0.0-1.oe2403.noarch"
					]
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2024-6221"
		}
	]
}