CVE-2021-21241

Опубликовано: 11 янв. 2021

Источник: ubuntu

Приоритет: medium

EPSS Низкий

CVSS2: 4.3

CVSS3: 7.4

Описание

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.

Релиз	Статус	Примечание
bionic	ignored	end of standard support, was needs-triage
devel	not-affected	3.4.5
esm-apps/bionic	not-affected	code not present
esm-apps/focal	not-affected	code not present
esm-apps/jammy	not-affected	3.4.5
esm-apps/noble	not-affected	3.4.5
esm-infra-legacy/trusty	DNE
focal	not-affected	code not present
groovy	ignored	end of life
hirsute	ignored	end of life

Показывать по

Ссылки на источники

EPSS

Процентиль: 61%

0.00421

Низкий

4.3 Medium

CVSS2

7.4 High

CVSS3

Связанные уязвимости

CVE-2021-21241

CVSS3: 7.4

nvd

около 5 лет назад

CVE-2021-21241

CVSS3: 7.4

debian

около 5 лет назад

The Python "Flask-Security-Too" package is used for adding security fe ...

SUSE-SU-2022:3093-1

suse-cvrf

больше 3 лет назад

Security update for python-Flask-Security-Too

GHSA-hh7m-rx4f-4vpv

CVSS3: 7.4

github

около 5 лет назад

CSRF can expose users authentication token

EPSS

Процентиль: 61%

0.00421

Низкий

4.3 Medium

CVSS2

7.4 High

CVSS3

CVE-2021-21241

Описание

Пакет flask-security

Ссылки на источники

Связанные уязвимости