Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03cjg3LWNqNDgtd2o0Nc1BKw
Potential Captcha Validate Bypass in flask-session-captcha
Impact
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session.
The captcha.validate() function would return None if passed no value (e.g. by submitting a request with an empty form).
If implementing users were checking the return value to be False, the captcha verification check could be bypassed.
Sample vulnerable code:
if captcha.validate() == False:
... # abort
else:
... # do stuff
Patches
A new version (1.2.1) is available that fixes the issue.
Workarounds
Users can workaround the issue by not explicitly checking that the value is False.
Checking the return value less explicitly should still work.
if not captcha.validate():
... # abort
else:
... # do stuff
if captcha.validate():
... # do stuff
else:
... # abort
References
https://github.com/Tethik/flask-session-captcha/pull/27
For more information
If you have any questions or comments about this advisory:
- Open an issue in the github repo
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cjg3LWNqNDgtd2o0Nc1BKw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 8 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-7r87-cj48-wj45, CVE-2022-24880
References:
- https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45
- https://github.com/Tethik/flask-session-captcha/pull/27
- https://nvd.nist.gov/vuln/detail/CVE-2022-24880
- https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4
- https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-session-captcha/PYSEC-2022-193.yaml
- https://github.com/advisories/GHSA-7r87-cj48-wj45
Blast Radius: 6.4
Affected Packages
pypi:flask-session-captcha
Dependent packages: 0Dependent repositories: 16
Downloads: 3,096 last month
Affected Version Ranges: < 1.2.1
Fixed in: 1.2.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0
All unaffected versions: 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.4.2