Skip to main content

Improper Output Neutralization for Logs

CVE-2024-1681

Severity Medium
Score 5.3/10

Summary

The corydolphin/flask-cors is vulnerable to log injection when the log level is set to "debug". An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs. This issue affects Flask-Cors versions prior to 4.0.1.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-117 - Improper Output Neutralization for Logs

The software does not neutralize or incorrectly neutralizes output that is written to logs.

Advisory Timeline

  • Published