Published: 31/08/2020 Updated: 28/04/2022

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

An issue exists in Flask-CORS (aka CORS Middleware for Flask) prior to 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

Vulnerable Product	Search on Vulmon	Subscribe to Product
flask-cors project flask-cors
debian debian linux 10.0
opensuse leap 15.1
opensuse backports sle 15.0
opensuse leap 15.2

Debian Bug report logs - #969362 python-flask-cors: CVE-2020-25032 Package: src:python-flask-cors; Maintainer for src:python-flask-cors is Stewart Ferguson <stew@fergaero>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 1 Sep 2020 08:54:01 UTC Severity: important Tags: security, upstream Found in ...

A directory traversal vulnerability was discovered in python-flask-cors, a Flask extension for handling Cross Origin Resource Sharing (CORS), allowing to access private resources For the stable distribution (buster), this problem has been fixed in version 307-1+deb10u1 We recommend that you upgrade your python-flask-cors packages For the detai ...

CWE-22 https://github.com/corydolphin/flask-cors/releases/tag/3.0.9 http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00039.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00048.html https://www.debian.org/security/2020/dsa-4775 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969362 https://nvd.nist.gov https://www.debian.org/security/2020/dsa-4775

CVE-2020-25032

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect