Skip to content

CSRF can expose users authentication token

High severity GitHub Reviewed Published Jan 8, 2021 in Flask-Middleware/flask-security • Updated Feb 1, 2023

Package

pip Flask-Security-Too (pip)

Affected versions

>= 3.3.0, < 3.4.5

Patched versions

3.4.5

Description

Issue

The /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token.

Patches

Version 3.4.5 and soon to be released 4.0.0 are patched.

Workarounds

If you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.

References

None

References

@jwag956 jwag956 published to Flask-Middleware/flask-security Jan 8, 2021
Reviewed Jan 11, 2021
Published to the GitHub Advisory Database Jan 11, 2021
Published by the National Vulnerability Database Jan 11, 2021
Last updated Feb 1, 2023

Severity

High

Weaknesses

CVE ID

CVE-2021-21241

GHSA ID

GHSA-hh7m-rx4f-4vpv

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.