Описание
Security update for python-Flask-Security-Too
This update for python-Flask-Security-Too fixes the following issues:
- CVE-2021-23385: Fixed open redirect (bsc#1202105).
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP3
python3-Flask-Security-Too-3.4.2-150200.3.6.1
SUSE Linux Enterprise Module for Basesystem 15 SP4
python3-Flask-Security-Too-3.4.2-150200.3.6.1
openSUSE Leap 15.3
python3-Flask-Security-Too-3.4.2-150200.3.6.1
openSUSE Leap 15.4
python3-Flask-Security-Too-3.4.2-150200.3.6.1
Ссылки
- Link for SUSE-SU-2022:3867-1
- E-Mail link for SUSE-SU-2022:3867-1
- SUSE Security Ratings
- SUSE Bug 1202105
- SUSE CVE CVE-2021-23385 page
Описание
This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore.
Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-Flask-Security-Too-3.4.2-150200.3.6.1
SUSE Linux Enterprise Module for Basesystem 15 SP4:python3-Flask-Security-Too-3.4.2-150200.3.6.1
openSUSE Leap 15.3:python3-Flask-Security-Too-3.4.2-150200.3.6.1
openSUSE Leap 15.4:python3-Flask-Security-Too-3.4.2-150200.3.6.1
Ссылки
- CVE-2021-23385
- SUSE Bug 1202105