CVE-2021-21241
Publication date 11 January 2021
Last updated 24 July 2024
Ubuntu priority
The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| flask-security | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.4 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
References
Other references
- https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f
- https://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542a
- https://github.com/Flask-Middleware/flask-security/pull/422
- https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv
- https://pypi.org/project/Flask-Security-Too
- https://www.cve.org/CVERecord?id=CVE-2021-21241