CVE-2024-6221

Published Aug 18, 2024

Last updated 13 days ago

CVSS high 7.5

Overview

Description: A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.
Source: security@huntr.dev
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

CVSS 3.0

Type: Secondary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

security@huntr.dev: CWE-284
nvd@nist.gov: NVD-CWE-Other

Hype score: Not currently trending

I cover SOP, CORS, and a CVE in this week's video. Flask-CORS Vulnerability (CVE-2024-6221) – Your Private Network at Risk! A small CORS mistake can expose internal APIs. Watch the full breakdown 🎥 Video: https://t.co/rLdyAKjwDv
@7h3M0nk
3 Feb 2025
160 Impressions
0 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:corydolphin:flask-cors:4.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "489D084D-F1F0-4345-ACD8-44B2CF18BDCF"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 3.0

Weaknesses

Social media

Configurations

References