CVE-2021-21241 : The Python "Flask-Security-Too" package is used for adding security features to

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.

Published 2021-01-11 21:15:13

Updated 2021-01-19 15:43:12

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2021-21241

Flask-security-too Project » Flask-security-too
Versions from including (>=) 3.3.0 and before (<) 3.4.5
cpe:2.3:a:flask-security-too_project:flask-security-too:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-21241

EPSS FAQ

0.31%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 51 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-21241

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.4	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N	2.8	4.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: None Availability: None
7.4	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N	2.8	4.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-21241

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-21241

https://github.com/Flask-Middleware/flask-security/pull/422

Fix security vuln - GET on /login or /change could reveal authenticat… by jwag956 · Pull Request #422 · Flask-Middleware/flask-security · GitHub
Patch;Third Party Advisory
https://github.com/Flask-Middleware/flask-security/commit/6d50ee9169acf813257c37b75babe9c28e83542a

Fix security vuln - GET on /login or /change could reveal authenticat… · Flask-Middleware/flask-security@6d50ee9 · GitHub
Patch;Third Party Advisory
https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv

CSRF Vuln can expose users authentication token · Advisory · Flask-Middleware/flask-security · GitHub
Third Party Advisory
https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f

I421backport (#425) · Flask-Middleware/flask-security@61d3131 · GitHub
Patch;Third Party Advisory
https://github.com/Flask-Middleware/flask-security/releases/tag/3.4.5

Release Fix CSRF Vulnerability · Flask-Middleware/flask-security · GitHub
Third Party Advisory
https://pypi.org/project/Flask-Security-Too

Flask-Security-Too · PyPI
Product;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-21241

Products affected by CVE-2021-21241

Exploit prediction scoring system (EPSS) score for CVE-2021-21241

CVSS scores for CVE-2021-21241

CWE ids for CVE-2021-21241

References for CVE-2021-21241