An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. Upstream Release: https://github.com/corydolphin/flask-cors/releases/tag/3.0.9
Created python-flask-cors tracking bugs for this issue: Affects: fedora-all [bug 1876699]
While Red Hat Quay includes an affected Flask-CORS version it doesn't use resource matching to protect private resources. Therefore we rated this issue low impact for Red Hat Quay.
Flask-CORS is only included in Red Hat Quay 3.1 which is in the extended life support phase. In this support phase only qualified import or critical vulnerabilities will be fixed, which this issues doesn't qualify as. https://access.redhat.com/support/policy/updates/rhquay
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25032
External References: https://github.com/corydolphin/flask-cors/releases/tag/3.0.9
Statement: Red Hat Quay includes Flask-CORS but does not use the vulnerable resource matching functionality. Therefore this issue is rated as low impact for Red Hat Quay.