Business Logic Errors

CVE-2024-6844

Medium

5.3/10

Summary

A vulnerability in package corydolphin/flask-cors allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The `request.path` is passed through the `unquote_plus` function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-840 - Business Logic Errors

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

References

Advisory Timeline

Published Mar 20, 2025

Business Logic Errors

CVE-2024-6844

Summary

CWE-840 - Business Logic Errors

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS