CVE-2021-32618 Information
Description
The Python \Flask-Security-Too\ package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and ‘fill in the blanks’ when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\github.com will pass FS’s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the ‘autocorrect_location_header=False`.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reference
https://github.com/Flask-Middleware/flask-security/issues/486
https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
The
Python
\Flask-Security-Too
package
is
used
for
adding
security
features
to
your
Flask
application.
It
is
an
is
an
independently
maintained
version
of
Flask-Security
based
on
the
3.0.0
version
of
Flask-Security.
All
versions
of
Flask-Security-Too
allow
redirects
after
many
successful
views
(e.g.
/login)
by
honoring
the
?next
query
param.
There
is
code
in
FS
to
validate
that
the
url
specified
in
the
next
parameter
is
either
relative
OR
has
the
same
netloc
(network
location)
as
the
requesting
URL.
This
check
utilizes
Pythons
urlsplit
library.
However
many
browsers
are
very
lenient
on
the
kind
of
URL
they
accept
and
‘fill
in
the
blanks’
when
presented
with
a
possibly
incomplete
URL.
As
a
concrete
example
setting http://login?next=\\github.com will pass FS’s relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer it by default ALWAYS ensures that the Location header is absolute
thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the ‘autocorrect_location_header=False`.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.1
Share on: