Medium severity6.1NVD Advisory· Published Mar 26, 2017· Updated May 13, 2026

CVE-2017-7266

Description

Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the "next" parameter which then redirects to any domain irrespective of the Host header.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
security_monkeyPyPI	< 0.8.0	0.8.0

Affected products

Netflix/Security Monkey
cpe:2.3:a:netflix:security_monkey:*:*:*:*:*:*:*:*
Range: <=0.7.0

Patches

3b4da13efabb

Replacing Flask-Security with Flask-Security-Fork. Removing some explicit dependencies to rely on flask-security-fork dependencies. SSO will use flask-security login_user instead of flask-login so that security_trackable works. Replacing current_user.is_authenticated() method with property so we can use a newer version of flask-login. (#482)

https://github.com/Netflix/security_monkeyPatrick KelleyDec 30, 2016via ghsa

commit

5 files changed · +11 −12

security_monkey/auth/modules.py+2 −2 modified

@@ -240,7 +240,7 @@ def _check_permission(self, roles, method, resource):
 
     def _deny_hook(self, resource=None):
         app = self.get_app()
-        if current_user.is_authenticated():
+        if current_user.is_authenticated:
             status = 403
         else:
             status = 401
@@ -250,7 +250,7 @@ def _deny_hook(self, resource=None):
                 url = "https://{}:{}{}".format(app.config.get('FQDN'), app.config.get('NGINX_PORT'), '/login')
         else:
                 url = "http://{}:{}{}".format(app.config.get('FQDN'), app.config.get('API_PORT'), '/login')
-        if current_user.is_authenticated():
+        if current_user.is_authenticated:
             auth_dict = {
                 "authenticated": True,
                 "user": current_user.email,

security_monkey/sso/views.py+2 −2 modified

@@ -13,7 +13,7 @@
 
 from flask.ext.restful import reqparse, Resource, Api
 from flask.ext.principal import Identity, identity_changed
-from flask_login import login_user
+from flask_security.utils import login_user
 
 try:
     from onelogin.saml2.auth import OneLogin_Saml2_Auth
@@ -264,7 +264,7 @@ def _consumer(self, auth):
         auth.process_response()
         errors = auth.get_errors()
         if not errors:
-            if auth.is_authenticated():
+            if auth.is_authenticated:
                 return True
             else:
                 return False

security_monkey/views/__init__.py+1 −1 modified

@@ -144,7 +144,7 @@ def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(AuthenticatedService, self).__init__()
         self.auth_dict = dict()
-        if current_user.is_authenticated():
+        if current_user.is_authenticated:
             roles_marshal = []
             for role in current_user.roles:
                 roles_marshal.append(marshal(role.__dict__, ROLE_FIELDS))

security_monkey/views/logout.py+1 −1 modified

@@ -25,7 +25,7 @@ class Logout(Resource):
     decorators = [rbac.exempt]
 
     def get(self):
-        if not current_user.is_authenticated():
+        if not current_user.is_authenticated:
             return "Must be logged in to log out", 200
 
         logout_user()

setup.py+5 −6 modified

@@ -23,25 +23,24 @@
     install_requires=[
         'APScheduler==2.1.2',
         'Flask==0.10.1',
-        'Flask-Login==0.2.10',
         'Flask-Mail==0.9.0',
         'Flask-Migrate==1.3.1',
         'Flask-Principal==0.4.0',
         'Flask-RESTful==0.3.3',
         'Flask-SQLAlchemy==1.0',
         'Flask-Script==0.6.3',
-        'Flask-Security==1.7.4',
-        'Flask-WTF==0.9.5',
+        # 'Flask-Security==1.7.4',
+        'Flask-Security-Fork==1.8.2',
         'Jinja2==2.8',
         'SQLAlchemy==0.9.2',
         'boto>=2.41.0',
         'ipaddr==2.1.11',
         'itsdangerous==0.23',
-        'psycopg2==2.5.2',
-        'bcrypt==2.0.0',
+        'psycopg2==2.6.2',
+        'bcrypt==3.1.2',
         'Sphinx==1.2.2',
         'gunicorn==18.0',
-        'cryptography==1.3.2',
+        'cryptography==1.7.1',
         'boto3>=1.4.2',
         'botocore>=1.4.81',
         'dpath==1.3.2',

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3c1c12262466nvdPatchThird Party AdvisoryWEB
github.com/Netflix/security_monkey/pull/482nvdThird Party AdvisoryWEB
github.com/Netflix/security_monkey/releases/tag/v0.8.0nvdRelease NotesThird Party AdvisoryWEB
github.com/advisories/GHSA-j6jq-3q8p-xgg6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-7266ghsaADVISORY
web.archive.org/web/20201220170714/http://www.securityfocus.com/bid/97088ghsaWEB
www.securityfocus.com/bid/97088nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000