/
PYSEC-2022-193.yaml
45 lines (45 loc) · 1.53 KB
/
PYSEC-2022-193.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
id: PYSEC-2022-193
details: flask-session-captcha is a package which allows users to extend Flask by
adding an image based captcha stored in a server side session. In versions prior
to 1.2.1, he `captcha.validate()` function would return `None` if passed no value
(e.g. by submitting an having an empty form). If implementing users were checking
the return value to be **False**, the captcha verification check could be bypassed.
Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly
checking that the value is False. Checking the return value less explicitly should
still work.
affected:
- package:
name: flask-session-captcha
ecosystem: PyPI
purl: pkg:pypi/flask-session-captcha
ranges:
- type: GIT
repo: https://github.com/Tethik/flask-session-captcha
events:
- introduced: "0"
- fixed: 2811ae23a38d33b620fb7a07de8837c6d65c13e4
- type: ECOSYSTEM
events:
- introduced: "0"
- fixed: 1.2.1
versions:
- 1.0.0
- 1.0.1
- 1.0.2
- 1.0.3
- 1.1.0
- 1.2.0
references:
- type: WEB
url: https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1
- type: WEB
url: https://github.com/Tethik/flask-session-captcha/pull/27
- type: FIX
url: https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4
- type: ADVISORY
url: https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45
aliases:
- CVE-2022-24880
- GHSA-7r87-cj48-wj45
modified: "2022-05-17T23:28:25.264091Z"
published: "2022-04-25T22:15:00Z"