{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-Flask-Cors security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-Flask-Cors is now available for openEuler-24.03-LTS-SP2", "category":"general", "title":"Summary" }, { "text":"A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible.\n\nSecurity Fix(es):\n\ncorydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.(CVE-2024-6839)\n\nA vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.(CVE-2024-6844)\n\ncorydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.(CVE-2024-6866)", "category":"general", "title":"Description" }, { "text":"An update for python-Flask-Cors is now available for openEuler-24.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"python-Flask-Cors", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1981", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1981" }, { "summary":"CVE-2024-6839", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6839&packageName=python-Flask-Cors" }, { "summary":"CVE-2024-6844", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6844&packageName=python-Flask-Cors" }, { "summary":"CVE-2024-6866", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6866&packageName=python-Flask-Cors" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6839" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6844" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6866" }, { "summary":"openEuler-SA-2025-1981 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1981.json" } ], "title":"An update for python-Flask-Cors is now available for openEuler-24.03-LTS-SP2", "tracking":{ "initial_release_date":"2025-08-08T19:23:18+08:00", "revision_history":[ { "date":"2025-08-08T19:23:18+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-08-08T19:23:18+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-08-08T19:23:18+08:00", "id":"openEuler-SA-2025-1981", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"openEuler-24.03-LTS-SP2", "name":"openEuler-24.03-LTS-SP2" }, "name":"openEuler-24.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"python-Flask-Cors-6.0.1-1.oe2403sp2.src.rpm", "name":"python-Flask-Cors-6.0.1-1.oe2403sp2.src.rpm" }, "name":"python-Flask-Cors-6.0.1-1.oe2403sp2.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch.rpm", "name":"python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch.rpm" }, "name":"python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch.rpm", "name":"python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch.rpm" }, "name":"python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"python-Flask-Cors-6.0.1-1.oe2403sp2.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "name":"python-Flask-Cors-6.0.1-1.oe2403sp2.src as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "name":"python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch", "name":"python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-6839", "notes":[ { "text":"corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ], "details":"python-Flask-Cors security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1981" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":4.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-6839" }, { "cve":"CVE-2024-6844", "notes":[ { "text":"A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ], "details":"python-Flask-Cors security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1981" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-6844" }, { "cve":"CVE-2024-6866", "notes":[ { "text":"corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ], "details":"python-Flask-Cors security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1981" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:python-Flask-Cors-6.0.1-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:python-Flask-Cors-help-6.0.1-1.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:python3-Flask-Cors-6.0.1-1.oe2403sp2.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-6866" } ] }