What Are You Looking For?

Popular Tags

Sign Up
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3545-1                [email protected]
https://www.debian.org/lts/security/                         Sean Whitton
August 28, 2023                               https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : flask-security
Version        : 1.7.5-2+deb10u1
CVE ID         : CVE-2021-23385
Debian Bug     : 1021279

It was discovered that when using the get_post_logout_redirect and
get_post_login_redirect functions in flask-security, an implementation
of simple security for Flask apps, it is possible to bypass URL
validation and redirect a user to an arbitrary URL by providing multiple
back slashes such as \\\evil.com/path.

This vulnerability is exploitable only if an alternative WSGI server
other than Werkzeug is used, or the default behaviour of Werkzeug is
modified using 'autocorrect_location_header=False.

For Debian 10 buster, this problem has been fixed in version
1.7.5-2+deb10u1.

We recommend that you upgrade your flask-security packages.

For the detailed security status of flask-security please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flask-security

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3545-1: flask-security security update

August 28, 2023
It was discovered that when using the get_post_logout_redirect and get_post_login_redirect functions in flask-security, an implementation of simple security for Flask apps, it is p...

Summary

This vulnerability is exploitable only if an alternative WSGI server
other than Werkzeug is used, or the default behaviour of Werkzeug is
modified using 'autocorrect_location_header=False.

For Debian 10 buster, this problem has been fixed in version
1.7.5-2+deb10u1.

We recommend that you upgrade your flask-security packages.

For the detailed security status of flask-security please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flask-security

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : flask-security
Version : 1.7.5-2+deb10u1
CVE ID : CVE-2021-23385
Debian Bug : 1021279

Related News

Threat Actors Use AWS SSM Agent as a Remote Access Trojan

Aug 3, 2023

New SkidMap Malware Attacking Wide Range of Linux Distributions

Aug 8, 2023

Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems

Aug 7, 2023

Linux Creator Expresses “Frustration” Towards AMD’s fTPM Bugs, Calls To Disable Feature

Aug 1, 2023

News

Advisories

HOWTOs

Features

The Unseen Potential of Wake-on-LAN
Linux Vulnerabilities: The Antidote to This Linux Security Poison
Preventing Linux DDoS Attacks with Minimal Cybersecurity Knowledge
Navigating Software Scalability: A Practical Guide to Building Scalable Systems with Linux
Unlocking the Secrets of Linux Security: An Expert Analysis

About Us

Powered By

Footer Logo

Feedback