Arbitrary File Download Affecting flask package, versions [,0.6.1)

Snyk CVSS

Attack Complexity High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-FLASK-40002
published 14 Sep 2017
disclosed 28 Aug 2017
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 28 Aug 2017

CWE-23 Open this link in a new tab

Overview

Affected versions of flask are vulnerable to Arbitrary File Download. A client can use backslashes to escape the directory the files where exposed from. Note: Only if the host server is a windows based operating system.

References

GitHub Changelog
GitHub Commit