CVE-2021-21241 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Cross-site request forgery
Description	In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1434	python-flask-security-too	3.3.3-3	4.0.1-1	High	Fixed	FS#70041

Date	Advisory	Group	Package	Severity	Type
19 May 2021	ASA-202105-2	AVG-1434	python-flask-security-too	High	cross-site request forgery

References
https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv https://github.com/Flask-Middleware/flask-security/issues/421 https://github.com/Flask-Middleware/flask-security/pull/422 https://github.com/Flask-Middleware/flask-security/commit/c05afe837e83f20f59c0fb409ce1240341d1ec41

References

https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv
https://github.com/Flask-Middleware/flask-security/issues/421
https://github.com/Flask-Middleware/flask-security/pull/422
https://github.com/Flask-Middleware/flask-security/commit/c05afe837e83f20f59c0fb409ce1240341d1ec41

Notes
Description =========== As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.