#VU94747 Improper Output Neutralization for Logs in Flask-CORS - CVE-2024-1681

Cybersecurity Help s.r.o.

Published: 2024-07-26

Vulnerability identifier: #VU94747

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1681

CWE-ID: CWE-117

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Flask-CORS
Universal components / Libraries / Libraries used by multiple products

Vendor: Cory Dolphin

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to excessive data output by the application. A remote attacker can send a specially crafted GET request containing a CRLF sequence in the request path to inject fake log entries into the log file.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Flask-CORS: 4.0.0

External links
https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Cloud Pak for Data System 2.0 update for Flask-CORS

Multiple vulnerabilities in QRadar Advisor With Watson for IBM QRadar SIEM

Multiple vulnerabilities in IBM Maximo Application Suite - Visual Inspection Component

Improper output neutralization for logs in IBM Maximo Application Suite

openEuler 24.03 LTS update for python-Flask-Cors

Fedora 41 update for python-flask-cors

Multiple vulnerabilities in IBM QRadar Suite Software

Improper output neutralization for logs in Cory Dolphin Flask-CORS