GHSA-672h-6x89-76m5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-672h-6x89-76m5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-672h-6x89-76m5/GHSA-672h-6x89-76m5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-672h-6x89-76m5
- Aliases
- Published
- 2023-12-27T00:30:25Z
- Modified
- 2024-09-20T18:03:15.146245Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Open redirect vulnerability in Flask-Security-Too
- Details
-
An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.
Flask-Security-Too contains logic to validate that the URL specified within the next parameter is either relative or has the same network location as the requesting URL in an attempt to prevent open redirections. Previously known examples that bypassed the validation logic such as
https://example/login?next=\\\\\\github.comwere patched in version 4.1.0However, examples such as
https://example/login?next=/\\github.comandhttps://example/login?next=\\/github.comwere discovered due to how web browsers normalize slashes in URLs, which makes the package vulnerable through version <=5.3.2Additionally, with Werkzeug >=2.1.0 the autocorrectlocationheader configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer.
- Database specific
{ "nvd_published_at": "2023-12-26T22:15:13Z", "cwe_ids": [ "CWE-601" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-01-08T21:47:12Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-49438
- https://github.com/Flask-Middleware/flask-security/commit/8b5abc4d4db9926a3d76b34b8b03255effb5e712
- https://github.com/Flask-Middleware/flask-security
- https://github.com/brandon-t-elliott/CVE-2023-49438
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2023-248.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM
Affected packages
PyPI / flask-security-too
Package
- Name
- flask-security-too
- View open source insights on deps.dev
- Purl
- pkg:pypi/flask-security-too
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.3.3