SUSE-SU-2022:3834-1

Опубликовано: 01 нояб. 2022

Источник: suse-cvrf

Описание

Security update for python-Flask-Security

This update for python-Flask-Security fixes the following issues:

CVE-2021-23385: Fixed open redirect (bsc#1202105).

Список пакетов

openSUSE Leap 15.3

python2-Flask-Security-3.0.0-150100.4.3.1

python3-Flask-Security-3.0.0-150100.4.3.1

openSUSE Leap 15.4

python3-Flask-Security-3.0.0-150100.4.3.1

Ссылки

https://www.suse.com/support/update/announcement/2022/suse-su-20223834-1/
Link for SUSE-SU-2022:3834-1
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012786.html
E-Mail link for SUSE-SU-2022:3834-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1202105
SUSE Bug 1202105
https://www.suse.com/security/cve/CVE-2021-23385/
SUSE CVE CVE-2021-23385 page

Описание

This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore.

Затронутые продукты

openSUSE Leap 15.3:python2-Flask-Security-3.0.0-150100.4.3.1

openSUSE Leap 15.3:python3-Flask-Security-3.0.0-150100.4.3.1

openSUSE Leap 15.4:python3-Flask-Security-3.0.0-150100.4.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-23385.html
CVE-2021-23385
https://bugzilla.suse.com/1202105
SUSE Bug 1202105

SUSE-SU-2022:3834-1

Описание

Список пакетов

openSUSE Leap 15.3

openSUSE Leap 15.4

Ссылки

Уязвимость: CVE-2021-23385

Описание

Затронутые продукты

Ссылки