Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.4
CVSSv3

CVE-2021-21241

Published: 11/01/2021 Updated: 19/01/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.4 | Impact Score: 4 | Exploitability Score: 2.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Flask-security-too

Vulnerability Summary

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

flask-security-too project flask-security-too

Vendor Advisories

Debian CVElist Bug Report Logs: flask-security: CVE-2021-21241
Debian Bug report logs - #980189 flask-security: CVE-2021-21241 Package: src:flask-security; Maintainer for src:flask-security is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 15 Jan 2021 20:03:02 UTC Severity: grave Tags: fi ...
Arch Linux Issues:
In Flask-Security-Too from version 330 and before version 345, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token Version 345 and version ...

References

CWE-352https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1fhttps://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542ahttps://github.com/Flask-Middleware/flask-security/pull/422https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpvhttps://pypi.org/project/Flask-Security-Toohttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980189https://nvd.nist.govhttps://security.archlinux.org/CVE-2021-21241
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21991CVE-2024-32674path traversalCVE-2023-21987denial of servicedosCVE-2024-4647CVE-2024-25519CVE-2024-33612
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook