pysec-2021-91
Vulnerability from pysec
The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.
| Name | purl |
|---|---|
| flask-security-too | pkg:pypi/flask-security-too |
{ affected: [ { package: { ecosystem: "PyPI", name: "flask-security-too", purl: "pkg:pypi/flask-security-too", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "61d313150b5f620d0b800896c4f2199005e84b1f", }, { fixed: "6d50ee9169acf813257c37b75babe9c28e83542a", }, ], repo: "https://github.com/Flask-Middleware/flask-security", type: "GIT", }, { events: [ { introduced: "3.3.0", }, { fixed: "3.4.5", }, ], type: "ECOSYSTEM", }, ], versions: [ "3.3.0", "3.3.1", "3.3.2", "3.3.3", "3.4.0", "3.4.1", "3.4.2", "3.4.3", "3.4.4", ], }, ], aliases: [ "CVE-2021-21241", "GHSA-hh7m-rx4f-4vpv", ], details: "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to \"0\" (seconds) which should make the token unusable.", id: "PYSEC-2021-91", modified: "2021-06-09T05:01:03.786366Z", published: "2021-01-11T21:15:00Z", references: [ { type: "WEB", url: "https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5", }, { type: "PACKAGE", url: "https://pypi.org/project/Flask-Security-Too", }, { type: "FIX", url: "https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f", }, { type: "ADVISORY", url: "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv", }, { type: "WEB", url: "https://github.com/Flask-Middleware/flask-security/pull/422", }, { type: "FIX", url: "https://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542a", }, ], }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.