CSRF can expose users authentication token in Flask-Security-Too
Description
The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Flask-Security-TooPyPI | >= 3.3.0, < 3.4.5 | 3.4.5 |
Affected products
16- ghsa-coords15 versionspkg:pypi/flask-security-toopkg:rpm/opensuse/python-Flask-Security&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Flask-Security-Too&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-Flask-Security-Too&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Manager%20Server%204.1
>= 3.3.0, < 3.4.5+ 14 more
- (no CPE)range: >= 3.3.0, < 3.4.5
- (no CPE)range: < 5.5.2-1.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- (no CPE)range: < 3.4.2-150200.3.3.1
- Range: >= 3.3.0, < 3.4.5
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-hh7m-rx4f-4vpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21241ghsaADVISORY
- github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1fmitrex_refsource_MISC
- github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542amitrex_refsource_MISC
- github.com/Flask-Middleware/flask-security/pull/422mitrex_refsource_MISC
- github.com/Flask-Middleware/flask-security/releases/tag/3.4.5mitrex_refsource_MISC
- github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpvmitrex_refsource_CONFIRM
- github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2021-91.yamlghsaWEB
- pypi.org/project/Flask-Security-Tooghsax_refsource_MISCWEB
- web.archive.org/web/20210118165844/https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5ghsaWEB
- web.archive.org/web/20210118165958/https://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542aghsaWEB
- web.archive.org/web/20210118170445/https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1fghsaWEB
- web.archive.org/web/20210118170502/https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpvghsaWEB
- web.archive.org/web/20211207005640/https://github.com/Flask-Middleware/flask-security/pull/422ghsaWEB
News mentions
0No linked articles in our index yet.