UbuntuUpdates.org

Package "python3-flask-cors"

Name: python3-flask-cors

Description:

Flask extension for handling CORS (Python 3)
Latest version: 5.0.0-1ubuntu0.1
Release: plucky (25.04)
Level: security
Repository: universe
Head package: python-flask-cors
Homepage: https://github.com/corydolphin/flask-cors

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-flask-cors"

All arch deb package
APT INSTALL

Other versions of "python3-flask-cors" in Plucky

Repository Area Version
base universe 5.0.0-1
updates universe 5.0.0-1ubuntu0.1

Changelog

Version: *DELETED* 2025-07-02 09:06:53 UTC
No changelog for deleted or moved packages.

Version: 5.0.0-1ubuntu0.1 2025-07-02 07:07:00 UTC

  python-flask-cors (5.0.0-1ubuntu0.1) plucky-security; urgency=medium

  * SECURITY UPDATE: Unauthorized Cross-Origin Access
    - debian/patches/CVE-2024-6839-1.patch: Sort paths by regex
      specificity
    - debian/patches/CVE-2024-6839-2.patch: Sort paths longest to
      shortest
    - debian/patches/CVE-2024-6839-3.patch: Rename "helper_tests.py" to
      "test_helpers.py".
    - CVE-2024-6839
  * SECURITY UPDATE: Information Leak
    - debian/patches/CVE-2024-6866.patch: Implements case sensitive
      request path matching
    - CVE-2024-6866
  * SECURITY UPDATE: Undefined CORS Policy Application
    - debian/patches/CVE-2024-6844.patch: Fix incorrect path normalization
    - CVE-2024-6844

 -- Bruce Cable <email address hidden> Mon, 30 Jun 2025 17:28:14 +1000
CVE-2024-6839 corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more s
CVE-2024-6866 corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` fu
CVE-2024-6844 A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths.


About   -   Send Feedback to @ubuntu_updates