------------------------------------------------------------------------- Debian LTS Advisory DLA-3545-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sean Whitton August 28, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : flask-security Version : 1.7.5-2+deb10u1 CVE ID : CVE-2021-23385 Debian Bug : 1021279 It was discovered that when using the get_post_logout_redirect and get_post_login_redirect functions in flask-security, an implementation of simple security for Flask apps, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is exploitable only if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. For Debian 10 buster, this problem has been fixed in version 1.7.5-2+deb10u1. We recommend that you upgrade your flask-security packages. For the detailed security status of flask-security please refer to its security tracker page at: https://security-tracker.debian.org/tracker/flask-security Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature