UbuntuUpdates.org

Package "python3-flask-cors"

Name: python3-flask-cors

Description:

Flask extension for handling CORS (Python 3)
Latest version: 3.0.9-2ubuntu0.1
Release: jammy (22.04)
Level: updates
Repository: universe
Head package: python-flask-cors
Homepage: http://flask-cors.corydolphin.com

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-flask-cors"

All arch deb package
APT INSTALL

Other versions of "python3-flask-cors" in Jammy

Repository Area Version
base universe 3.0.9-2
security universe 3.0.9-2ubuntu0.1

Changelog

Version: 3.0.9-2ubuntu0.1 2025-07-02 13:52:32 UTC

  python-flask-cors (3.0.9-2ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Unauthorized Cross-Origin Access
    - debian/patches/CVE-2024-6839-1.patch: Sort paths by regex
      specificity
    - debian/patches/CVE-2024-6839-2.patch: Sort paths longest to
      shortest
    - debian/patches/CVE-2024-6839-3.patch: Rename "helper_tests.py" to
      "test_helpers.py".
    - CVE-2024-6839
  * SECURITY UPDATE: Private Resource Exposure
    - debian/patches/CVE-2024-6221.patch: Add option to allow
      "Access-Control-Allow-Private-Network" CORS header to be false
    - CVE-2024-6221
  * SECURITY UPDATE: Information Leak
    - debian/patches/CVE-2024-6866.patch: Implements case sensitive
      request path matching
    - CVE-2024-6866
  * SECURITY UPDATE: Undefined CORS Policy Application
    - debian/patches/CVE-2024-6844.patch: Fix incorrect path normalization
    - CVE-2024-6844
  * SECURITY UPDATE: Log Injection
    - debian/patches/CVE-2024-1681.patch: Update extension.py to clean
      request.path before logging it
    - CVE-2024-1681

 -- Bruce Cable <email address hidden> Mon, 30 Jun 2025 17:27:53 +1000
CVE-2024-6839 corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more s
CVE-2024-6221 A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. T
CVE-2024-6866 corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` fu
CVE-2024-6844 A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths.
CVE-2024-1681 corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file b


About   -   Send Feedback to @ubuntu_updates