Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNHFtLXhoZjktNHA4Zs4AArXi
Flower OAuth authentication bypass
All versions of Flower, a web UI for the Celery Python RPC framework, as of 05-02-2022 are vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. A fix was released in version 1.2.0.
Permalink: https://github.com/advisories/GHSA-q4qm-xhf9-4p8fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNHFtLXhoZjktNHA4Zs4AArXi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Identifiers: GHSA-q4qm-xhf9-4p8f, CVE-2022-30034
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-30034
- https://tprynn.github.io/2022/05/26/flower-vulns.html
- http://githubcommherflower.com
- https://github.com/mher/flower/pull/1216
- https://github.com/mher/flower/issues/1217
- https://github.com/pypa/advisory-database/tree/main/vulns/flower/PYSEC-2022-42973.yaml
- https://github.com/advisories/GHSA-q4qm-xhf9-4p8f
Blast Radius: 30.3
Affected Packages
pypi:flower
Dependent packages: 32Dependent repositories: 3,295
Downloads: 2,497,437 last month
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 1.0.0, 1.1.0
All unaffected versions: 1.2.0, 2.0.0, 2.0.1