Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 931228 (CVE-2024-1681) - <dev-python/flask-cors-4.0.1: log injection when the log level is set to debug
Summary: <dev-python/flask-cors-4.0.1: log injection when the log level is set to debug
Status: CONFIRMED
Alias: CVE-2024-1681
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/advisories/GHSA-84...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 931227
Blocks:
  Show dependency tree
 
Reported: 2024-05-05 04:33 UTC by Michał Górny
Modified: 2024-05-05 06:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-05-05 04:33:31 UTC 
From $URL:

> corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-05-05 06:13:39 UTC 
cleanup done.