flask-security: CVE-2021-21241

Debian Bug report logs - #980189
flask-security: CVE-2021-21241

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: flask-security: CVE-2021-21241

Date: Fri, 15 Jan 2021 20:59:31 +0100

Source: flask-security
Version: 3.4.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Flask-Middleware/flask-security/issues/421
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for flask-security.

CVE-2021-21241[0]:
| The Python "Flask-Security-Too" package is used for adding security
| features to your Flask application. It is an is a independently
| maintained version of Flask-Security based on the 3.0.0 version of
| Flask-Security. In Flask-Security-Too from version 3.3.0 and before
| version 3.4.5, the /login and /change endpoints can return the
| authenticated user's authentication token in response to a GET
| request. Since GET requests aren't protected with a CSRF token, this
| could lead to a malicious 3rd party site acquiring the authentication
| token. Version 3.4.5 and version 4.0.0 are patched. As a workaround,
| if you aren't using authentication tokens - you can set the
| SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token
| unusable.

Admitelly the CVE description currently on MITRE is quite confusing
reffering to Flask-Security-Too package. But the other references
pointed out and reviewing the changes seem to apply to the original
project as well (I might miss something here).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-21241
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21241
[1] https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv
[2] https://github.com/Flask-Middleware/flask-security/pull/422
[3] https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f
[4] https://github.com/Flask-Middleware/flask-security/issues/421

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 980189@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 980189@bugs.debian.org

Subject: Re: Bug#980189: flask-security: CVE-2021-21241

Date: Fri, 15 Jan 2021 21:09:30 +0100

On Fri, Jan 15, 2021 at 08:59:31PM +0100, Salvatore Bonaccorso wrote:
[...]
> Admitelly the CVE description currently on MITRE is quite confusing
> reffering to Flask-Security-Too package. But the other references
> pointed out and reviewing the changes seem to apply to the original
> project as well (I might miss something here).

I can answer this part myself "Flask-Security-Too" is the "upstream".

flask-security (3.4.2-1) unstable; urgency=medium
[...]
  * Switch upstream to Flask-Security-Too.
[...]

Regards,
Salvatore

Send a report that this bug log contains spam.