Flask-Unchained up to 0.8.x URL Validation _validate_redirect_url

EntryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Flask-Unchained up to 0.8.x. It has been declared as problematic. Affected by this vulnerability is the function _validate_redirect_url of the component URL Validation Handler. Upgrading to version 0.9.0 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
1133770306/13/2021VulD...cve_cnaSnyknvd.nist.gov06/13/2021accepted70
1133770206/13/2021VulD...cvss3_meta_tempscore4.8see documentation06/13/2021accepted90
1133770106/13/2021VulD...cvss3_vuldb_tempscore4.806/13/2021accepted90
1133770006/13/2021VulD...cvss2_vuldb_tempscore4.406/13/2021accepted90
1133769906/13/2021VulD...cve_nvd_summaryThis affects the package Flask-Unchained before 0.9.0. When using the the _validate_redirect_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False.cve.mitre.org06/13/2021accepted70
1133769806/13/2021VulD...cve_assigned1610060400cve.mitre.org06/13/2021accepted70
1133340806/11/2021VulD...price_0day$0-$5ksee documentation06/11/2021accepted90
1133340706/11/2021VulD...cvss3_meta_tempscore5.0see documentation06/11/2021accepted90
1133340606/11/2021VulD...cvss3_meta_basescore5.0see documentation06/11/2021accepted90
1133340506/11/2021VulD...cvss3_vuldb_tempscore5.006/11/2021accepted90
1133340406/11/2021VulD...cvss3_vuldb_basescore5.006/11/2021accepted90
1133340306/11/2021VulD...cvss2_vuldb_tempscore5.106/11/2021accepted90
1133340206/11/2021VulD...cvss2_vuldb_basescore5.106/11/2021accepted90
1133340106/11/2021VulD...cvss3_vuldb_eXderived from historical data06/11/2021accepted80
1133340006/11/2021VulD...cvss2_vuldb_eNDderived from historical data06/11/2021accepted80
1133339906/11/2021VulD...cvss2_vuldb_rlOFderived from vuldb v3 vector06/11/2021accepted80
1133339806/11/2021VulD...cvss2_vuldb_rcCderived from vuldb v3 vector06/11/2021accepted80
1133339706/11/2021VulD...cvss2_vuldb_aiPderived from vuldb v3 vector06/11/2021accepted80
1133339606/11/2021VulD...cvss2_vuldb_iiPderived from vuldb v3 vector06/11/2021accepted80
1133339506/11/2021VulD...cvss2_vuldb_ciPderived from vuldb v3 vector06/11/2021accepted80

Do you know our Splunk app?

Download it now for free!