Security Vulnerabilities in Flower: OAuth Authentication Bypass and Lack of CSRF Protections (CVE-2022-30034)

Question

Security Vulnerabilities in Flower: OAuth Authentication Bypass and Lack of CSRF Protections (CVE-2022-30034)

tprynn opened this issue 2 years ago · comments

Ref: https://tprynn.github.io/2022/05/26/flower-vulns.html

Flower is unauthenticated by default and lacks CSRF protections
Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the auth_regex restriction

Due to a lack of response from the maintainer, these issues were publicly disclosed on 26 May 2022 along with a PR (#1216)

Maged Helmy · Answer 1 · Wed Jun 08 2022 01:34:39 GMT+0800 (China Standard Time)

@mher FYI!

mher · Answer 2 · Sat Jul 02 2022 22:59:22 GMT+0800 (China Standard Time)

Flower is unauthenticated by default and lacks CSRF protections

Actually flower has an option for CRSF protection https://flower.readthedocs.io/en/latest/config.html#cookie-secret

Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the auth_regex restriction

The vulnerabilities mentioned in the article can be prevented by more strict regular expressions. For example, .*@example.com$ can be used to prevent authenticating with attacker@example.com.attacker.com

mher · Answer 3 · Sun Jul 10 2022 06:12:21 GMT+0800 (China Standard Time)

Created a pull request to improve security #1227 please review

mher · Answer 4 · Sun Aug 07 2022 18:22:14 GMT+0800 (China Standard Time)

Released a new version https://pypi.org/project/flower/1.2.0/

Sebastian Wagner · Answer 5 · Mon Aug 15 2022 18:07:04 GMT+0800 (China Standard Time)

Released a new version https://pypi.org/project/flower/1.2.0/

pip-audit still complains here:

Found 1 known vulnerability in 1 package
Name   Version ID                  Fix Versions
------ ------- ------------------- ------------
flower 1.2.0   GHSA-q4qm-xhf9-4p8f

Tanner Prynn · Answer 6 · Tue Aug 16 2022 09:26:41 GMT+0800 (China Standard Time)

@sebastian-philipp I've submitted an update to MITRE to have them mark the entry as fixed as of 1.2.0. It tends to take them some time to respond, but after they update the entry I think pip-audit should hopefully be able to notice it's fixed.

Sebastian Wagner · Answer 7 · Mon Sep 12 2022 17:19:08 GMT+0800 (China Standard Time)

@tprynn by chance, do you know why we're still seeing the same error with pip-audit?

$ pip-audit -r constraints.txt
Found 1 known vulnerability in 1 package
Name   Version ID                  Fix Versions
------ ------- ------------------- ------------
flower 1.2.0   GHSA-q4qm-xhf9-4p8f

Tanner Prynn · Answer 8 · Tue Sep 13 2022 04:04:53 GMT+0800 (China Standard Time)

@sebastian-philipp I'm sorry, I don't know exactly how the version info flows through the various DBs. Looking at pip-audit's docs it seems like the source should be https://github.com/pypa/advisory-database but I didn't find any reference to the CVE / IDs there. I did submit a change to Github's advisory DB in case it's there: github/advisory-database#666

Sebastian Wagner · Answer 9 · Wed Sep 14 2022 20:10:19 GMT+0800 (China Standard Time)

@sebastian-philipp I'm sorry

No worries. I'm just super grateful for you work.