Candidate: CVE-2020-25032
PublicDate: 2020-08-31 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032
 https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
Description:
 An issue was discovered in Flask-CORS (aka CORS Middleware for Flask)
 before 3.0.9. It allows ../ directory traversal to access private resources
 because resource matching does not ensure that pathnames are in a canonical
 format.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969362
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_python-flask-cors:
upstream_python-flask-cors: released (3.0.9-1)
precise/esm_python-flask-cors: DNE
trusty_python-flask-cors: ignored (out of standard support)
trusty/esm_python-flask-cors: DNE
xenial_python-flask-cors: DNE
bionic_python-flask-cors: DNE
focal_python-flask-cors: needs-triage
groovy_python-flask-cors: ignored (reached end-of-life)
hirsute_python-flask-cors: not-affected (3.0.9-2)
impish_python-flask-cors: not-affected (3.0.9-2)
jammy_python-flask-cors: not-affected (3.0.9-2)
devel_python-flask-cors: not-affected (3.0.9-2)