Improper Output Neutralization for Logs
CVE-2024-1681
Summary
The corydolphin/flask-cors is vulnerable to log injection when the log level is set to "debug". An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs. This issue affects Flask-Cors versions prior to 4.0.1.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-117 - Improper Output Neutralization for Logs
The software does not neutralize or incorrectly neutralizes output that is written to logs.
References
Advisory Timeline
- Published