CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
34.7%
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session.
The captcha.validate()
function would return None
if passed no value (e.g. by submitting a request with an empty form).
If implementing users were checking the return value to be False, the captcha verification check could be bypassed.
Sample vulnerable code:
if captcha.validate() == False:
... # abort
else:
... # do stuff
A new version (1.2.1) is available that fixes the issue.
Users can workaround the issue by not explicitly checking that the value is False.
Checking the return value less explicitly should still work.
if not captcha.validate():
... # abort
else:
... # do stuff
if captcha.validate():
... # do stuff
else:
... # abort
https://github.com/Tethik/flask-session-captcha/pull/27
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
flask-session-captcha_project | flask-session-captcha | * | cpe:2.3:a:flask-session-captcha_project:flask-session-captcha:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-7r87-cj48-wj45
github.com/pypa/advisory-database/tree/main/vulns/flask-session-captcha/PYSEC-2022-193.yaml
github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4
github.com/Tethik/flask-session-captcha/pull/27
github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1
github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45
nvd.nist.gov/vuln/detail/CVE-2022-24880
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
34.7%