Описание
Security update for python-Flask-Security-Too
This update for python-Flask-Security-Too fixes the following issues:
- CVE-2021-21241: Fixed an issue where GET requests lacking CSRF protection to certain endpoints could return the user's authentication token (bsc#1181058).
Список пакетов
SUSE Enterprise Storage 7
SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
SUSE Linux Enterprise Module for Basesystem 15 SP3
SUSE Linux Enterprise Module for Basesystem 15 SP4
SUSE Linux Enterprise Server 15 SP2-BCL
SUSE Linux Enterprise Server 15 SP2-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP2
SUSE Manager Proxy 4.1
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
openSUSE Leap 15.3
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2022:3093-1
- E-Mail link for SUSE-SU-2022:3093-1
- SUSE Security Ratings
- SUSE Bug 1181058
- SUSE CVE CVE-2021-21241 page
Описание
The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.
Затронутые продукты
Ссылки
- CVE-2021-21241
- SUSE Bug 1181058