CVE-2024-6221 MEDIUM

CVE-2024-6221: Improper Access Control in corydolphin/flask-cors

Vendor Corydolphin
Product corydolphin/flask-cors
Weakness CWE-284
Published August 18, 2024
Last update April 7, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Key dates

02Disclosure timeline

August 18, 2024 CVE published
April 7, 2025 Record updated