Security Vulnerabilities in Flower: OAuth Authentication Bypass and Lack of CSRF Protections (CVE-2022-30034)

[tprynn]

Ref: https://tprynn.github.io/2022/05/26/flower-vulns.html

• Flower is unauthenticated by default and lacks CSRF protections
• Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the auth_regex restriction

Due to a lack of response from the maintainer, these issues were publicly disclosed on 26 May 2022 along with a PR (#1216)

[magedhelmy1]

@mher FYI!

[mher]

• Flower is unauthenticated by default and lacks CSRF protections

Actually flower has an option for CRSF protection https://flower.readthedocs.io/en/latest/config.html#cookie-secret

• Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the auth_regex restriction

The vulnerabilities mentioned in the article can be prevented by more strict regular expressions. For example, .*@example.com$ can be used to prevent authenticating with attacker@example.com.attacker.com

[mher]

Created a pull request to improve security #1227 please review

[mher]

Released a new version https://pypi.org/project/flower/1.2.0/

[sebastian-philipp]

Released a new version https://pypi.org/project/flower/1.2.0/

pip-audit still complains here:

Found 1 known vulnerability in 1 package
Name   Version ID                  Fix Versions
------ ------- ------------------- ------------
flower 1.2.0   GHSA-q4qm-xhf9-4p8f

[tprynn]

@sebastian-philipp I've submitted an update to MITRE to have them mark the entry as fixed as of 1.2.0. It tends to take them some time to respond, but after they update the entry I think pip-audit should hopefully be able to notice it's fixed.

[sebastian-philipp]

@tprynn by chance, do you know why we're still seeing the same error with pip-audit?

$ pip-audit -r constraints.txt
Found 1 known vulnerability in 1 package
Name   Version ID                  Fix Versions
------ ------- ------------------- ------------
flower 1.2.0   GHSA-q4qm-xhf9-4p8f

[tprynn]

@sebastian-philipp I'm sorry, I don't know exactly how the version info flows through the various DBs. Looking at pip-audit's docs it seems like the source should be https://github.com/pypa/advisory-database but I didn't find any reference to the CVE / IDs there. I did submit a change to Github's advisory DB in case it's there: github/advisory-database#666