Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Who to contact for security issues #341

Open
psmoros opened this issue Jan 21, 2024 · 2 comments
Open

Who to contact for security issues #341

psmoros opened this issue Jan 21, 2024 · 2 comments

Comments

@psmoros
Copy link

psmoros commented Jan 21, 2024

Hello 馃憢

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@ehtec) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 馃憤

(cc @huntr-helper)
@byt3bl33d3r
Copy link

Hey @corydolphin , FYI we've received 2 vulnerability reports on Huntr.com related to this project. We've received them on May 13 and will be publishing them on June 30th unless we're able to get in touch with you.

Thanks

@git-thor
Copy link

git-thor commented Jun 5, 2024
edited

Hi @corydolphin, my python-safety run reports the following:

https://data.safetycli.com/v/70813/97c

-> Vulnerability found in flask-cors version 4.0.0
   Vulnerability ID: 70813
   Affected spec: <4.0.1
   ADVISORY: Flask-cors 4.0.1 addresses the CVE-2024-1681:
   corydolphin/flask-cors is vulnerable to log injection when the log level
   is set to debug. An attacker can inject fake log entries into the log file
   by sending a specially crafted GET request containing a CRLF sequence in
   the request path. This vulnerability allows attackers to corrupt log
   files, potentially covering tracks of other attacks, confusing log post-
   processing tools, and forging log entries. The issue is due to improper
   output neutralization for logs.
   CVE-2024-1681
   For more information about this vulnerability, visit
   https://data.safetycli.com/v/70813/97c
   To ignore this vulnerability, use PyUp vulnerability id 70813 in safety鈥檚
   ignore command-line argument or add the ignore to your safety policy file.

https://data.safetycli.com/v/70624/97c

-> Vulnerability found in flask-cors version 4.0.0
   Vulnerability ID: 70624
   Affected spec: >0
   ADVISORY: corydolphin/flask-cors is vulnerable to log injection
   when the log level is set to debug. An attacker can inject fake log
   entries into the log file by sending a specially crafted GET request
   containing a CRLF sequence in the request path. This vulnerability allows
   attackers to corrupt log files, potentially covering tracks of other
   attacks, confusing log post-processing tools, and forging log entries. The
   issue is due to improper output neutralization for logs. See
   CVE-2024-1681.
   CVE-2024-1681
   For more information about this vulnerability, visit
   https://data.safetycli.com/v/70624/97c
   To ignore this vulnerability, use PyUp vulnerability id 70624 in safety鈥檚
   ignore command-line argument or add the ignore to your safety policy file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@byt3bl33d3r @psmoros @git-thor