python310-Flask-Security-Too-5.3.2-3.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13561 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python310-Flask-Security-Too-5.3.2-3.1 on GA media These are all security issues fixed in the python310-Flask-Security-Too-5.3.2-3.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13561 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13561 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-21241/ SUSE CVE CVE-2021-21241 page https://www.suse.com/security/cve/CVE-2021-23385/ SUSE CVE CVE-2021-23385 page openSUSE Tumbleweed python310-Flask-Security-Too-5.3.2-3.1 python311-Flask-Security-Too-5.3.2-3.1 python39-Flask-Security-Too-5.3.2-3.1 python310-Flask-Security-Too-5.3.2-3.1 as a component of openSUSE Tumbleweed python311-Flask-Security-Too-5.3.2-3.1 as a component of openSUSE Tumbleweed python39-Flask-Security-Too-5.3.2-3.1 as a component of openSUSE Tumbleweed The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable. CVE-2021-21241 openSUSE Tumbleweed:python310-Flask-Security-Too-5.3.2-3.1 openSUSE Tumbleweed:python311-Flask-Security-Too-5.3.2-3.1 openSUSE Tumbleweed:python39-Flask-Security-Too-5.3.2-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-21241.html CVE-2021-21241 https://bugzilla.suse.com/1181058 SUSE Bug 1181058 This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore. CVE-2021-23385 openSUSE Tumbleweed:python310-Flask-Security-Too-5.3.2-3.1 openSUSE Tumbleweed:python311-Flask-Security-Too-5.3.2-3.1 openSUSE Tumbleweed:python39-Flask-Security-Too-5.3.2-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23385.html CVE-2021-23385 https://bugzilla.suse.com/1202105 SUSE Bug 1202105