CVE-2022-24880 Information

Description

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1 he captcha.validate() function would return None if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be False the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1 https://github.com/Tethik/flask-session-captcha/pull/27 https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4 https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3