Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 765016 (CVE-2021-21241) - <dev-python/flask-security-3.4.5: CSRF vulnerability (CVE-2021-21241)
Summary: <dev-python/flask-security-3.4.5: CSRF vulnerability (CVE-2021-21241)
Alias: CVE-2021-21241
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2021-01-11 22:05 UTC by Sam James
Modified: 2021-07-24 05:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 22:05:19 UTC
CVE text:
"The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable."

... which is confusing. Anyway, the URL for this bug has the actual flask-security security advisory, so I guess it affects us.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 22:05:40 UTC
Please bump to 3.4.5.
Comment 2 Larry the Git Cow gentoo-dev 2021-01-11 23:56:29 UTC
The bug has been referenced in the following commit(s):

commit 82176833aacf96541f5af679e03e463667a4ce73
Author:     Michał Górny <>
AuthorDate: 2021-01-11 23:43:00 +0000
Commit:     Michał Górny <>
CommitDate: 2021-01-11 23:56:25 +0000

    dev-python/flask-security: Bump to 3.4.5
    Signed-off-by: Michał Górny <>

 dev-python/flask-security/Manifest                 |  1 +
 .../flask-security/flask-security-3.4.5.ebuild     | 74 ++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 12:03:07 UTC
amd64 x86 (ALLARCHES) done

all arches done
Comment 4 John Helmert III gentoo-dev Security 2021-01-12 14:13:33 UTC
Please cleanup.
Comment 5 John Helmert III gentoo-dev Security 2021-07-24 05:53:52 UTC
Done in March:

commit 5eb38e39bb838415ba4cd33ce58fbfc7ba44a1dc
Author: Michał Górny <>
Date:   Tue Mar 2 09:51:29 2021 +0100

    dev-python/flask-security: Remove old

    Signed-off-by: Michał Górny <>

 delete mode 100644 dev-python/flask-security/files/flask-security-3.4.3-optional-deps.patch
 delete mode 100644 dev-python/flask-security/flask-security-3.4.4.ebuild
 delete mode 100644 dev-python/flask-security/flask-security-3.4.5.ebuild

All done!