CVE-2024-6221

Published Aug 18, 2024

Last updated 6 months ago

CVSS high 7.5

Overview

Description: A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.
Source: security@huntr.dev
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

CVSS 3.0

Type: Secondary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: NVD-CWE-Other
security@huntr.dev: CWE-284

Hype score: Not currently trending

I cover SOP, CORS, and a CVE in this week's video. Flask-CORS Vulnerability (CVE-2024-6221) – Your Private Network at Risk! A small CORS mistake can expose internal APIs. Watch the full breakdown 🎥 Video: https://t.co/rLdyAKjwDv
@7h3M0nk
3 Feb 2025
160 Impressions
0 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:corydolphin:flask-cors:4.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "489D084D-F1F0-4345-ACD8-44B2CF18BDCF"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 3.0

Weaknesses

Social media

Configurations

References