Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 863509 (CVE-2021-23385)

Summary: dev-python/flask-security: open redirect in non-default configuration
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234
See Also: https://bugs.gentoo.org/show_bug.cgi?id=867415
Whiteboard: C4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 03:01:54 UTC 
CVE-2021-23385:

This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore.

Snyk only seems to have tested against the original now unmaintained
Flask-Security at https://github.com/mattupstate/flask-security. Asked
if they've tested against Flask-Security-Too.
Comment 1 Larry the Git Cow gentoo-dev 2022-09-29 08:08:56 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bfd440a755b77c146e1f0e0c48ed1190fc82a7b

commit 8bfd440a755b77c146e1f0e0c48ed1190fc82a7b
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-09-29 08:07:34 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-09-29 08:07:38 +0000

    dev-python/flask-security: Remove last-rited pkg
    
    Closes: https://bugs.gentoo.org/867415
    Closes: https://bugs.gentoo.org/863509
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-python/flask-security/Manifest                 |  2 -
 .../flask-security/flask-security-4.1.4.ebuild     | 66 ---------------------
 .../flask-security/flask-security-4.1.5.ebuild     | 67 ----------------------
 dev-python/flask-security/metadata.xml             | 13 -----
 profiles/package.mask                              | 12 ----
 5 files changed, 160 deletions(-)