Bugzilla – Bug 1202105
VUL-0: CVE-2021-23385: python-Flask-Security,python-Flask-Security-Too: Open Redirect
Last modified: 2024-01-10 13:22:11 UTC
This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23385 https://github.com/mattupstate/flask-security https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234 https://snyk.io/blog/url-confusion-vulnerabilities/
It doesn't seems to be any patch available yet. Interesting thing I noticed is that GHSA-6qmf-fj6m-686c [0] also addresses an open redirect vulnerability with a different CVE ID: CVE-2021-32618. It was reported only one day before they Snyk one, and both are credited to Claroty. I think these two CVEs are duplicated, I will inform Mitre and they will double-check. [0] https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
Possibly discussed in https://github.com/mattupstate/flask-security/issues/872
Otherwise, python-Flask-Security package has been removed in Factory in favour of https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask-Security-Too
There is a discussion of this CVE on https://github.com/Flask-Middleware/flask-security/issues/486 claiming that possibly there could be a duplicate of this CVE as CVE-2021-32618 (and this could be duplicate of that).
SUSE-SU-2022:3834-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1202105 CVE References: CVE-2021-23385 JIRA References: Sources used: openSUSE Leap 15.4 (src): python-Flask-Security-3.0.0-150100.4.3.1 openSUSE Leap 15.3 (src): python-Flask-Security-3.0.0-150100.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3867-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1202105 CVE References: CVE-2021-23385 JIRA References: Sources used: openSUSE Leap 15.4 (src): python-Flask-Security-Too-3.4.2-150200.3.6.1 openSUSE Leap 15.3 (src): python-Flask-Security-Too-3.4.2-150200.3.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): python-Flask-Security-Too-3.4.2-150200.3.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-Flask-Security-Too-3.4.2-150200.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.