Security Vulnerabilities in Flower: OAuth Authentication Bypass and Lack of CSRF Protections (CVE-2022-30034)
tprynn opened this issue · comments
Ref: https://tprynn.github.io/2022/05/26/flower-vulns.html
- Flower is unauthenticated by default and lacks CSRF protections
- Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the
auth_regex
restriction
Due to a lack of response from the maintainer, these issues were publicly disclosed on 26 May 2022 along with a PR (#1216)
@mher FYI!
- Flower is unauthenticated by default and lacks CSRF protections
Actually flower has an option for CRSF protection https://flower.readthedocs.io/en/latest/config.html#cookie-secret
- Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the
auth_regex
restriction
The vulnerabilities mentioned in the article can be prevented by more strict regular expressions. For example, .*@example.com$
can be used to prevent authenticating with attacker@example.com.attacker.com
Released a new version https://pypi.org/project/flower/1.2.0/
Released a new version https://pypi.org/project/flower/1.2.0/
pip-audit still complains here:
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
------ ------- ------------------- ------------
flower 1.2.0 GHSA-q4qm-xhf9-4p8f
@sebastian-philipp I've submitted an update to MITRE to have them mark the entry as fixed as of 1.2.0. It tends to take them some time to respond, but after they update the entry I think pip-audit should hopefully be able to notice it's fixed.
@tprynn by chance, do you know why we're still seeing the same error with pip-audit?
$ pip-audit -r constraints.txt
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
------ ------- ------------------- ------------
flower 1.2.0 GHSA-q4qm-xhf9-4p8f
@sebastian-philipp I'm sorry, I don't know exactly how the version info flows through the various DBs. Looking at pip-audit's docs it seems like the source should be https://github.com/pypa/advisory-database but I didn't find any reference to the CVE / IDs there. I did submit a change to Github's advisory DB in case it's there: github/advisory-database#666
@sebastian-philipp I'm sorry
No worries. I'm just super grateful for you work.