CVE-2024-6221: Improper Access Control in corydolphin/flask-cors

6.5 CVSS

Description

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Classification

CVE ID: CVE-2024-6221

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Problem Types

CWE-284 Improper Access Control

Affected Products

Vendor: corydolphin

Product: corydolphin/flask-cors

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.13% (scored less or equal to compared to others)

EPSS Date: 2025-04-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-6221
https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d
https://github.com/corydolphin/flask-cors/commit/03aa3f8e2256437f7bad96422a747b98ab5e31bf

Timeline

2025-04-07 16:40:08 UTC
CVE

Improper Access Control in corydolphin/flask-cors