CVE-2024-21644: 
Python vulnerability analysis and mitigation

pyLoad, a free and open-source Download Manager written in Python, was found to contain a security vulnerability (CVE-2024-21644) where any unauthenticated user could access the Flask configuration, including the sensitive SECRET_KEY variable, through a specific URL. The vulnerability was discovered in versions prior to 0.5.0b3.dev77 and was patched in version 0.5.0b3.dev77 (GitHub Advisory).

The vulnerability stems from an unprotected route that allows unauthenticated access to template rendering. When accessing the '/render/info.html' endpoint, the Flask configuration gets exposed due to a naming collision where the template variable 'config' overlaps with Flask's default config context variable. This occurs because the normal execution path that would overwrite this variable is bypassed when directly accessing the render route. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

The exposure of the Flask configuration, particularly the SECRET_KEY variable, could have severe security implications depending on how the configuration data is used within the application. The SECRET_KEY is a critical security component in Flask applications, and its exposure could potentially compromise the application's security mechanisms (GitHub Advisory).

The vulnerability has been patched in version 0.5.0b3.dev77. Users are advised to upgrade to this version or later. The fix involves modifying the template variable name to prevent the configuration exposure (GitHub Patch).