cvelistv5 - CVE-2021-32618

URL	Tags
security-advisories@github.com	https://github.com/Flask-Middleware/flask-security/issues/486	Third Party Advisory
security-advisories@github.com	https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Flask-Middleware/flask-security/issues/486	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c	Third Party Advisory

gsd-2021-32618

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the 'autocorrect_location_header=False`.

Aliases

CVE-2021-32618

Aliases

CVE-2021-32618

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32618",
    "description": "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and \u0027fill in the blanks\u0027 when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com will pass FS\u0027s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the \u0027autocorrect_location_header=False`.",
    "id": "GSD-2021-32618",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-32618.html",
      "https://security.archlinux.org/CVE-2021-32618"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32618"
      ],
      "details": "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and \u0027fill in the blanks\u0027 when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com will pass FS\u0027s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the \u0027autocorrect_location_header=False`.",
      "id": "GSD-2021-32618",
      "modified": "2023-12-13T01:23:09.355329Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32618",
        "STATE": "PUBLIC",
        "TITLE": "Open Redirect Vulnerability"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "flask-security",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 4.0.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Flask-Middleware"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and \u0027fill in the blanks\u0027 when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com will pass FS\u0027s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the \u0027autocorrect_location_header=False`."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c",
            "refsource": "CONFIRM",
            "url": "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c"
          },
          {
            "name": "https://github.com/Flask-Middleware/flask-security/issues/486",
            "refsource": "MISC",
            "url": "https://github.com/Flask-Middleware/flask-security/issues/486"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-6qmf-fj6m-686c",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=4.0.1",
          "affected_versions": "All versions up to 4.0.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-601",
            "CWE-937"
          ],
          "date": "2022-01-10",
          "description": "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views  by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and \u0027fill in the blanks\u0027 when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com will pass FS\u0027s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the \u0027autocorrect_location_header=False`.",
          "fixed_versions": [],
          "identifier": "CVE-2021-32618",
          "identifiers": [
            "GHSA-6qmf-fj6m-686c",
            "CVE-2021-32618"
          ],
          "not_impacted": "",
          "package_slug": "pypi/Flask-Security-Too",
          "pubdate": "2021-05-17",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "URL Redirection to Untrusted Site ",
          "urls": [
            "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32618",
            "https://github.com/Flask-Middleware/flask-security/issues/486",
            "https://github.com/advisories/GHSA-6qmf-fj6m-686c"
          ],
          "uuid": "b0a76021-e728-47b4-aba0-2fbe19e8ce01"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:flask-security_project:flask-security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32618"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and \u0027fill in the blanks\u0027 when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com will pass FS\u0027s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the \u0027autocorrect_location_header=False`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-601"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Flask-Middleware/flask-security/issues/486",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/Flask-Middleware/flask-security/issues/486"
            },
            {
              "name": "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-05-26T16:51Z",
      "publishedDate": "2021-05-17T18:15Z"
    }
  }
}

ghsa-6qmf-fj6m-686c

Vulnerability from github

Published

2021-05-17 20:51

Modified

2024-09-20 21:06

Severity ?

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
2.1 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

Open Redirect in Flask-Security-Too

Details

Impact

Flask-Security allows redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL.

This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want.

This is considered a low severity due to the fact that if Werkzeug by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the 'autocorrect_location_header=False` which would then open up their application to this attack.

Patches

No patches as this time

Workarounds

If using Werkzeug, make sure to use the default Location header setting. If you can't - then use@app.after_request and write your own validation of the Location header if it is set.

References

No.

For more information

If you have any questions or comments about this advisory follow: https://github.com/Flask-Middleware/flask-security/issues/486

Thanks to Claroty (2021-0141) and @snoopysecurity for providing details and proof of concept.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Flask-Security-Too"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T16:53:26Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nFlask-Security allows redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting  URL.\n\nThis check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and \u0027fill in the blanks\u0027 when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com\nwill pass FS\u0027s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want.\n\nThis is considered a low severity due to the fact that if Werkzeug by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the \u0027autocorrect_location_header=False` which would then open up their application to this attack.\n\n### Patches\nNo patches as this time\n\n### Workarounds\nIf using Werkzeug, make sure to use the default Location header setting. If you can\u0027t - then use@app.after_request and write your own validation of the Location header if it is set.\n\n### References\nNo.\n\n### For more information\nIf you have any questions or comments about this advisory follow: https://github.com/Flask-Middleware/flask-security/issues/486\n\nThanks to Claroty (2021-0141) and @snoopysecurity for providing details and proof of concept.\n",
  "id": "GHSA-6qmf-fj6m-686c",
  "modified": "2024-09-20T21:06:55Z",
  "published": "2021-05-17T20:51:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Flask-Middleware/flask-security/commit/e39bb04615050448c1b8ba4caa7dacc0edd3e405"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Flask-Middleware/flask-security"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2021-123.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210517211717/https://github.com/Flask-Middleware/flask-security/issues/486"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20211207121851/https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220410062740/https://github.com/Flask-Middleware/flask-security/pull/489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Open Redirect in Flask-Security-Too"
}

pysec-2021-123

Vulnerability from pysec

Published

2021-05-17 18:15

Modified

2021-08-25 04:30

Details

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the autocorrect_location_header=False.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask-security-too",
        "purl": "pkg:pypi/flask-security-too"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.1",
        "3.0.1rc1",
        "3.0.1rc2",
        "3.0.1rc3",
        "3.0.2",
        "3.1.0rc1",
        "3.2.0",
        "3.2.0rc1",
        "3.2.0rc3",
        "3.2.0rc4",
        "3.3.0",
        "3.3.0rc1",
        "3.3.0rc2",
        "3.3.0rc3",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.4.0",
        "3.4.1",
        "3.4.2",
        "3.4.3",
        "3.4.4",
        "3.4.5",
        "4.0.0",
        "4.0.0rc1",
        "4.0.0rc2",
        "4.0.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32618",
    "GHSA-6qmf-fj6m-686c"
  ],
  "details": "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and \u0027fill in the blanks\u0027 when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com will pass FS\u0027s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the `autocorrect_location_header=False`.",
  "id": "PYSEC-2021-123",
  "modified": "2021-08-25T04:30:09.653075Z",
  "published": "2021-05-17T18:15:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/Flask-Middleware/flask-security/issues/486"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c"
    }
  ]
}

CVE-2021-32618

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

CVE-2021-32618

Vulnerability from cvelistv5

gsd-2021-32618

Vulnerability from gsd

ghsa-6qmf-fj6m-686c

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

pysec-2021-123

Vulnerability from pysec

Tags

Sightings

Nomenclature