Home > Vulnerability Database > CVE-2024-1681

Mend.io Vulnerability Database

CVE-2024-1681

Good to know:

Date: April 19, 2024

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Language: Python

Severity Score

5.3

Related Resources (5)

Url: https://github.com/corydolphin/flask-cors/blob/40acc8092332dfed4bb54d7a4f89a6d479466de7/flask_cors/extension.py#L194

Url: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1681

Url: https://github.com/corydolphin/flask-cors

Url: https://www.mend.io/vulnerability-database/CVE-2024-1681

Severity Score

5.3

Weakness Type (CWE)

Improper Output Neutralization for Logs

CWE-117

Top Fix

Upgrade Version

Upgrade to version flask-cors - 4.0.1

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1681

Good to know:

Date: April 19, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?