GHSA-q4qm-xhf9-4p8f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q4qm-xhf9-4p8f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-q4qm-xhf9-4p8f/GHSA-q4qm-xhf9-4p8f.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-q4qm-xhf9-4p8f
- Aliases
- Published
- 2022-06-03T00:01:07Z
- Modified
- 2024-09-20T20:24:46.161716Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
- 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Flower OAuth authentication bypass
- Details
-
All versions of Flower, a web UI for the Celery Python RPC framework, as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. A fix was released in version 1.2.0.
- Database specific
{ "nvd_published_at": "2022-06-02T14:15:00Z", "cwe_ids": [ "CWE-287" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-06-03T22:29:21Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-30034
- https://github.com/mher/flower/issues/1217
- https://github.com/mher/flower/pull/1216
- https://github.com/mher/flower
- https://github.com/pypa/advisory-database/tree/main/vulns/flower/PYSEC-2022-42973.yaml
- https://tprynn.github.io/2022/05/26/flower-vulns.html
- http://githubcommherflower.com
Affected packages
PyPI / flower
Package
- Name
- flower
- View open source insights on deps.dev
- Purl
- pkg:pypi/flower