Bug 1202105 (CVE-2021-23385)

Summary: VUL-0: CVE-2021-23385: python-Flask-Security,python-Flask-Security-Too: Open Redirect
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: daniel.garcia, meissner, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/338758/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-23385:5.4:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2022-08-03 12:09:01 UTC 
This affects all versions of package Flask-Security. When using the
get_post_logout_redirect and get_post_login_redirect functions, it is possible
to bypass URL validation and redirect a user to an arbitrary URL by providing
multiple back slashes such as \\\evil.com/path. This vulnerability is only
exploitable if an alternative WSGI server other than Werkzeug is used, or the
default behaviour of Werkzeug is modified using
'autocorrect_location_header=False. **Note:** Flask-Security is not maintained
anymore.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23385
https://github.com/mattupstate/flask-security
https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234
https://snyk.io/blog/url-confusion-vulnerabilities/
Comment 1 Gianluca Gabrielli 2022-08-03 12:13:43 UTC 
It doesn't seems to be any patch available yet.

Interesting thing I noticed is that GHSA-6qmf-fj6m-686c [0] also addresses an open redirect vulnerability with a different CVE ID: CVE-2021-32618. It was reported only one day before they Snyk one, and both are credited to Claroty. I think these two CVEs are duplicated, I will inform Mitre and they will double-check.


[0] https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
Comment 2 Matej Cepl 2022-08-04 04:57:06 UTC 
Possibly discussed in https://github.com/mattupstate/flask-security/issues/872
Comment 3 Matej Cepl 2022-08-04 06:40:06 UTC 
Otherwise, python-Flask-Security package has been removed in Factory in favour of https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask-Security-Too
Comment 4 Matej Cepl 2022-09-21 09:59:56 UTC 
There is a discussion of this CVE on https://github.com/Flask-Middleware/flask-security/issues/486 claiming that possibly there could be a duplicate of this CVE as CVE-2021-32618 (and this could be duplicate of that).
Comment 7 Swamp Workflow Management 2022-11-01 14:25:02 UTC 
SUSE-SU-2022:3834-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1202105
CVE References: CVE-2021-23385
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-Flask-Security-3.0.0-150100.4.3.1
openSUSE Leap 15.3 (src):    python-Flask-Security-3.0.0-150100.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-11-03 20:18:41 UTC 
SUSE-SU-2022:3867-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1202105
CVE References: CVE-2021-23385
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-Flask-Security-Too-3.4.2-150200.3.6.1
openSUSE Leap 15.3 (src):    python-Flask-Security-Too-3.4.2-150200.3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    python-Flask-Security-Too-3.4.2-150200.3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-Flask-Security-Too-3.4.2-150200.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.