|Summary:||<dev-python/flask-security-3.4.5: CSRF vulnerability (CVE-2021-21241)|
|Product:||Gentoo Security||Reporter:||Sam James <sam>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B4 [noglsa cleanup]|
|Package list:||Runtime testing required:||---|
Description Sam James 2021-01-11 22:05:19 UTC
CVE text: "The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable." ... which is confusing. Anyway, the URL for this bug has the actual flask-security security advisory, so I guess it affects us.
Comment 1 Sam James 2021-01-11 22:05:40 UTC
Please bump to 3.4.5.
Comment 2 Larry the Git Cow 2021-01-11 23:56:29 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82176833aacf96541f5af679e03e463667a4ce73 commit 82176833aacf96541f5af679e03e463667a4ce73 Author: Michał Górny <firstname.lastname@example.org> AuthorDate: 2021-01-11 23:43:00 +0000 Commit: Michał Górny <email@example.com> CommitDate: 2021-01-11 23:56:25 +0000 dev-python/flask-security: Bump to 3.4.5 Bug: https://bugs.gentoo.org/765016 Signed-off-by: Michał Górny <firstname.lastname@example.org> dev-python/flask-security/Manifest | 1 + .../flask-security/flask-security-3.4.5.ebuild | 74 ++++++++++++++++++++++ 2 files changed, 75 insertions(+)
Comment 3 Sam James 2021-01-12 12:03:07 UTC
amd64 x86 (ALLARCHES) done all arches done
Comment 4 John Helmert III 2021-01-12 14:13:33 UTC