Bug 1876698 (CVE-2020-25032)

Summary: CVE-2020-25032 python-flask-cors: allows ../ directory traversal to access private resources
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, fzatlouk, kmullins, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-flask-cors-3.0.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Flask-CORS (aka CORS Middleware for Flask). This issue allows the ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-10 01:17:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1876699    
Bug Blocks: 1876700    

Description Marian Rehak 2020-09-08 01:49:29 UTC 
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

Upstream Release:

https://github.com/corydolphin/flask-cors/releases/tag/3.0.9
Comment 1 Marian Rehak 2020-09-08 01:49:45 UTC 
Created python-flask-cors tracking bugs for this issue:

Affects: fedora-all [bug 1876699]
Comment 2 Jason Shepherd 2020-09-09 22:57:02 UTC 
While Red Hat Quay includes an affected Flask-CORS version it doesn't use resource matching to protect private resources. Therefore we rated this issue low impact for Red Hat Quay.
Comment 5 Jason Shepherd 2020-09-09 23:13:38 UTC 
Flask-CORS is only included in Red Hat Quay 3.1 which is in the extended life support phase. In this support phase only qualified import or critical vulnerabilities will be fixed, which this issues doesn't qualify as.

https://access.redhat.com/support/policy/updates/rhquay
Comment 7 Product Security DevOps Team 2020-09-10 01:17:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25032
Comment 8 Przemyslaw Roguski 2020-09-11 08:31:35 UTC 
External References:

https://github.com/corydolphin/flask-cors/releases/tag/3.0.9
Comment 9 Jason Shepherd 2020-09-14 22:59:47 UTC 
Statement:

Red Hat Quay includes Flask-CORS but does not use the vulnerable resource matching functionality. Therefore this issue is rated as low impact for Red Hat Quay.