| Summary: | <dev-python/flask-cors-4.0.1: log injection when the log level is set to debug | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michał Górny <mgorny> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | proxy-maint, python, wking |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/advisories/GHSA-84pr-m4jr-85g5 | ||
| Whiteboard: | B3 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 931227 | ||
| Bug Blocks: | |||
cleanup done. |
From $URL: > corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.