CVE-2022-24880

Опубликовано: 25 апр. 2022

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he captcha.validate() function would return None if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be False, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.

Ссылки

https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4
Patch
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/pull/27
Patch
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1
Release Notes
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4
Patch
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/pull/27
Patch
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1
Release Notes
Third Party Advisory
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:flask-session-captcha_project:flask-session-captcha:*:*:*:*:*:*:*:*

Версия до 1.2.1 (исключая)

EPSS

Процентиль: 48%

0.0025

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-253

CWE-754

Связанные уязвимости

GHSA-7r87-cj48-wj45