Moderate severityNVD Advisory· Published Aug 2, 2022· Updated Sep 16, 2024
Open Redirect
CVE-2021-23385
Description
This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. Note: Flask-Security is not maintained anymore.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Flask-SecurityPyPI | <= 3.0.0 | — |
Affected products
9- Flask-Security/Flask-Securitydescription
- ghsa-coords8 versionspkg:pypi/flask-securitypkg:rpm/opensuse/python-Flask-Security&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-Flask-Security&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-Flask-Security&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Flask-Security-Too&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-Flask-Security-Too&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python-Flask-Security-Too&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4
<= 3.0.0+ 7 more
- (no CPE)range: <= 3.0.0
- (no CPE)range: < 3.0.0-150100.4.3.1
- (no CPE)range: < 3.0.0-150100.4.3.1
- (no CPE)range: < 5.5.2-1.1
- (no CPE)range: < 3.4.2-150200.3.6.1
- (no CPE)range: < 3.4.2-150200.3.6.1
- (no CPE)range: < 3.4.2-150200.3.6.1
- (no CPE)range: < 3.4.2-150200.3.6.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-cg8c-gc2j-2wf7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23385ghsaADVISORY
- lists.debian.org/debian-lts-announce/2023/08/msg00034.htmlmitremailing-list
- security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234ghsaWEB
- snyk.io/blog/url-confusion-vulnerabilitiesghsaWEB
- snyk.io/blog/url-confusion-vulnerabilities/mitre
News mentions
0No linked articles in our index yet.