UbuntuUpdates.org

Package "python3-flask-cors"

Name: python3-flask-cors

Description:

Flask extension for handling CORS (Python 3)

Latest version: 4.0.1-1ubuntu0.1
Release: oracular (24.10)
Level: updates
Repository: universe
Head package: python-flask-cors
Homepage: https://github.com/corydolphin/flask-cors

Links


Download "python3-flask-cors"


Other versions of "python3-flask-cors" in Oracular

Repository Area Version
base universe 4.0.1-1
security universe 4.0.1-1ubuntu0.1

Changelog

Version: *DELETED* 2025-07-02 11:07:03 UTC
Moved to oracular:universe:security
No changelog for deleted or moved packages.

Version: 4.0.1-1ubuntu0.1 2025-07-02 10:07:02 UTC

  python-flask-cors (4.0.1-1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: Unauthorized Cross-Origin Access
    - debian/patches/CVE-2024-6839-1.patch: Sort paths by regex
      specificity
    - debian/patches/CVE-2024-6839-2.patch: Sort paths longest to
      shortest
    - debian/patches/CVE-2024-6839-3.patch: Rename "helper_tests.py" to
      "test_helpers.py".
    - CVE-2024-6839
  * SECURITY UPDATE: Private Resource Exposure
    - debian/patches/CVE-2024-6221.patch: Add option to allow
      "Access-Control-Allow-Private-Network" CORS header to be false
    - CVE-2024-6221
  * SECURITY UPDATE: Information Leak
    - debian/patches/CVE-2024-6866.patch: Implements case sensitive
      request path matching
    - CVE-2024-6866
  * SECURITY UPDATE: Undefined CORS Policy Application
    - debian/patches/CVE-2024-6844.patch: Fix incorrect path normalization
    - CVE-2024-6844

 -- Bruce Cable <email address hidden> Mon, 30 Jun 2025 17:28:14 +1000

CVE-2024-6839 corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more s
CVE-2024-6221 A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. T
CVE-2024-6866 corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` fu
CVE-2024-6844 A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths.



About   -   Send Feedback to @ubuntu_updates