[Python-modules-team] Bug#980189: flask-security: CVE-2021-21241
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 15 19:59:31 GMT 2021
Source: flask-security
Version: 3.4.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Flask-Middleware/flask-security/issues/421
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for flask-security.
CVE-2021-21241[0]:
| The Python "Flask-Security-Too" package is used for adding security
| features to your Flask application. It is an is a independently
| maintained version of Flask-Security based on the 3.0.0 version of
| Flask-Security. In Flask-Security-Too from version 3.3.0 and before
| version 3.4.5, the /login and /change endpoints can return the
| authenticated user's authentication token in response to a GET
| request. Since GET requests aren't protected with a CSRF token, this
| could lead to a malicious 3rd party site acquiring the authentication
| token. Version 3.4.5 and version 4.0.0 are patched. As a workaround,
| if you aren't using authentication tokens - you can set the
| SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token
| unusable.
Admitelly the CVE description currently on MITRE is quite confusing
reffering to Flask-Security-Too package. But the other references
pointed out and reviewing the changes seem to apply to the original
project as well (I might miss something here).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21241
[1] https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv
[2] https://github.com/Flask-Middleware/flask-security/pull/422
[3] https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f
[4] https://github.com/Flask-Middleware/flask-security/issues/421
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Python-modules-team
mailing list