Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-98812

CVE-2024-6221 - Update flask-cors to 4.0.2 or newer

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 8.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Build
    • Fully Compatible

      (Mirrored from https://github.com/mongodb/mongo/pull/1606)

      We should consider updating flask-cors to 4.0.2 or newer.

      Description

      A vulnerability in mongodb was used flask version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions. This configuration exposes private network resources to unauthorized external access without requiring any user configuration.

      Potential Risks

      • Exposure of sensitive private network resources.
      • Unauthorized access leading to data breaches, leakage of sensitive information, or network intrusions.

      Severity

      • CVSS Score: 8.7/10 (High)
      • Weakness: CWE-284 (Improper Access Control)

      Recommended Fix

      • Upgrade flask-cors to version 4.0.2 or later, which resolves this issue by disabling this header by default.

      References

            Assignee:
            zack.winter@mongodb.com Zack Winter
            Reporter:
            chris.kelly@mongodb.com Chris Kelly
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: