CVE-2024-6221
Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default
7.5
HIGH
CVSS 3.1
EPSS 0.64%
Description
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.
How to fix CVE-2024-6221
To remediate CVE-2024-6221, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.0-1 or later
- —upgrade to 4.0.2 or later
- —no fix listed
- —upgrade to 4.0.2 or later
Is CVE-2024-6221 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 5.0.0-1
- from 0, < 4.0.2
- from 0, <= 4.0.1
- from 0, < 4.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |