CVE-2020-25032: Flask-Cors Directory Traversal vulnerability
(updated )
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
References
- github.com/advisories/GHSA-xc3p-ff3m-f46v
- github.com/corydolphin/flask-cors
- github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
- github.com/corydolphin/flask-cors/releases/tag/3.0.9
- github.com/pypa/advisory-database/tree/main/vulns/flask-cors/PYSEC-2020-43.yaml
- nvd.nist.gov/vuln/detail/CVE-2020-25032
- www.debian.org/security/2020/dsa-4775
Detect and mitigate CVE-2020-25032 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →