GHSA-fxq4-r6mr-9x64 – flask-security-too

Package

Manager: pip
Name: flask-security-too
Vulnerable Version: >=3.2.0 <3.4.5

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

CSRF Vuln can expose user's QRcode ### Impact When a user is setting up two-factor authentication using an authenticator app, a QRcode is generated and made available via a GET request to /tf-qrcode. Since GETs do not have any CSRF protection, it is possible a malicious 3rd party could access the QRcode and therefore gain access to two-factor authentication codes. Note that the /tf-qrcode endpoint is ONLY accessible while the user is initially setting up their device. Once setup is complete, there is no vulnerability. ### Patches This is fixed in the upcoming 4.0.0 release. ### Workarounds You can provide your own URL for fetching the QRcode by defining SECURITY_TWO_FACTOR_QRCODE_URL and providing your own implementation (that presumably required a POST with CSRF protection). This would require changing the two-factor setup template as well. ### References None. ### For more information If you have any questions or comments about this advisory: * Read this pull request: #423

Metadata

Created: 2021-04-08T16:46:00Z
Modified: 2021-04-08T16:45:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-fxq4-r6mr-9x64/GHSA-fxq4-r6mr-9x64.json
CWE IDs: ["CWE-352"]
Alternative ID: N/A
Finding: F007
Auto approve: 1