CVE-2021-21241

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21241
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21241.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21241
Aliases
Related
Published
2021-01-11T21:15:13Z
Modified
2024-09-16T05:00:21Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITYTOKENMAX_AGE to "0" (seconds) which should make the token unusable.

References

Affected packages

Debian:11 / flask-security

Package

Name
flask-security
Purl
pkg:deb/debian/flask-security?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / flask-security

Package

Name
flask-security
Purl
pkg:deb/debian/flask-security?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / flask-security

Package

Name
flask-security
Purl
pkg:deb/debian/flask-security?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}