Source: flask-security Version: 3.4.2-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/Flask-Middleware/flask-security/issues/421 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for flask-security. CVE-2021-21241[0]: | The Python "Flask-Security-Too" package is used for adding security | features to your Flask application. It is an is a independently | maintained version of Flask-Security based on the 3.0.0 version of | Flask-Security. In Flask-Security-Too from version 3.3.0 and before | version 3.4.5, the /login and /change endpoints can return the | authenticated user's authentication token in response to a GET | request. Since GET requests aren't protected with a CSRF token, this | could lead to a malicious 3rd party site acquiring the authentication | token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, | if you aren't using authentication tokens - you can set the | SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token | unusable. Admitelly the CVE description currently on MITRE is quite confusing reffering to Flask-Security-Too package. But the other references pointed out and reviewing the changes seem to apply to the original project as well (I might miss something here). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21241 [1] https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv [2] https://github.com/Flask-Middleware/flask-security/pull/422 [3] https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f [4] https://github.com/Flask-Middleware/flask-security/issues/421 Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
