PYSEC-2020-156

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/webargs/PYSEC-2020-156.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2020-156

Aliases

CVE-2020-7965
GHSA-fjq3-5pxw-4wj4

Published

2020-01-29T15:15:00Z

Modified

2023-11-01T04:53:40.923879Z

Summary

[none]

Details

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

References

https://webargs.readthedocs.io/en/latest/changelog.html
https://github.com/advisories/GHSA-fjq3-5pxw-4wj4

Affected packages

PyPI / webargs

Package

Name: webargs; View open source insights on deps.dev
Purl: pkg:pypi/webargs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.5.3

Affected versions

5.*

5.0.0

5.1.0

5.1.1

5.1.1.post0

5.1.2

5.1.3

5.2.0

5.3.0

5.3.1

5.3.2

5.4.0

5.5.0

5.5.1

5.5.2