Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NzJoLTZ4ODktNzZtNc4AA4Cj
Open redirect vulnerability in Flask-Security-Too
An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.
Flask-Security-Too contains logic to validate that the URL specified within the next parameter is either relative or has the same network location as the requesting URL in an attempt to prevent open redirections. Previously known examples that bypassed the validation logic such as https://example/login?next=\\\\\\github.com were patched in version 4.1.0
However, examples such as https://example/login?next=/\\github.com and https://example/login?next=\\/github.com were discovered due to how web browsers normalize slashes in URLs, which makes the package vulnerable through version <=5.3.2
Additionally, with Werkzeug >=2.1.0 the autocorrect_location_header configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if they are using Werkzeug >=2.1.0 as the WSGI layer.
Permalink: https://github.com/advisories/GHSA-672h-6x89-76m5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NzJoLTZ4ODktNzZtNc4AA4Cj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 2 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-672h-6x89-76m5, CVE-2023-49438
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-49438
- https://github.com/Flask-Middleware/flask-security
- https://github.com/brandon-t-elliott/CVE-2023-49438
- https://github.com/Flask-Middleware/flask-security/commit/8b5abc4d4db9926a3d76b34b8b03255effb5e712
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-security-too/PYSEC-2023-248.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM
- https://github.com/advisories/GHSA-672h-6x89-76m5
Blast Radius: 11.0
Affected Packages
pypi:Flask-Security-Too
Dependent packages: 8Dependent repositories: 64
Downloads: 298,107 last month
Affected Version Ranges: < 5.3.3
Fixed in: 5.3.3
All affected versions: 3.0.1, 3.0.2, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2
All unaffected versions: 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.2