2353722 – (CVE-2024-6866) CVE-2024-6866 flask-cors: Case-Insensitive Path Matching in corydolphin/flask-cors

Bug 2353722 (CVE-2024-6866) - CVE-2024-6866 flask-cors: Case-Insensitive Path Matching in corydolphin/flask-cors

Summary: CVE-2024-6866 flask-cors: Case-Insensitive Path Matching in corydolphin/flask...

Keywords:
Status:	NEW
Alias:	CVE-2024-6866
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-20 11:08 UTC by OSIDB Bzimport
Modified:	2025-03-20 15:50 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-20 11:08:20 UTC

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.

Note You need to log in before you can comment on or make changes to this bug.