Skip to content

Security Vulnerabilities in Flower: OAuth Authentication Bypass and Lack of CSRF Protections (CVE-2022-30034) #1217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tprynn opened this issue May 26, 2022 · 9 comments
Closed

Security Vulnerabilities in Flower: OAuth Authentication Bypass and Lack of CSRF Protections (CVE-2022-30034) #1217

tprynn opened this issue May 26, 2022 · 9 comments
Labels
bug

Comments

@tprynn
Copy link

tprynn commented May 26, 2022

Ref: https://tprynn.github.io/2022/05/26/flower-vulns.html

  • Flower is unauthenticated by default and lacks CSRF protections
  • Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the auth_regex restriction

Due to a lack of response from the maintainer, these issues were publicly disclosed on 26 May 2022 along with a PR (#1216)
@tprynn tprynn added the bug label May 26, 2022
@tprynn tprynn mentioned this issue May 30, 2022
Closed
@magedhelmy1
Copy link

@mher FYI!

Repository owner deleted a comment from ranjith19 Jul 1, 2022
@mher
Copy link
Owner

mher commented Jul 2, 2022

  • Flower is unauthenticated by default and lacks CSRF protections

Actually flower has an option for CRSF protection https://flower.readthedocs.io/en/latest/config.html#cookie-secret

  • Flower's OAuth support is vulnerable to a bypass allowing anyone to authenticate regardless of the auth_regex restriction

The vulnerabilities mentioned in the article can be prevented by more strict regular expressions. For example, .*@example.com$ can be used to prevent authenticating with [email protected]

@mher
Copy link
Owner

mher commented Jul 9, 2022

Created a pull request to improve security #1227 please review

@mher
Copy link
Owner

mher commented Aug 7, 2022

Released a new version https://pypi.org/project/flower/1.2.0/

@mher mher closed this as completed Aug 7, 2022
@jepify jepify mentioned this issue Aug 11, 2022
Closed
@sebastian-philipp
Copy link

Released a new version https://pypi.org/project/flower/1.2.0/

pip-audit still complains here:

Found 1 known vulnerability in 1 package
Name   Version ID                  Fix Versions
------ ------- ------------------- ------------
flower 1.2.0   GHSA-q4qm-xhf9-4p8f

@tprynn
Copy link
Author

tprynn commented Aug 16, 2022

@sebastian-philipp I've submitted an update to MITRE to have them mark the entry as fixed as of 1.2.0. It tends to take them some time to respond, but after they update the entry I think pip-audit should hopefully be able to notice it's fixed.

@dotlambda dotlambda mentioned this issue Aug 30, 2022
Merged
13 tasks
@sebastian-philipp
Copy link

@tprynn by chance, do you know why we're still seeing the same error with pip-audit?

$ pip-audit -r constraints.txt
Found 1 known vulnerability in 1 package
Name   Version ID                  Fix Versions
------ ------- ------------------- ------------
flower 1.2.0   GHSA-q4qm-xhf9-4p8f

@tprynn tprynn mentioned this issue Sep 12, 2022
Merged
@tprynn
Copy link
Author

tprynn commented Sep 12, 2022

@sebastian-philipp I'm sorry, I don't know exactly how the version info flows through the various DBs. Looking at pip-audit's docs it seems like the source should be https://github.com/pypa/advisory-database but I didn't find any reference to the CVE / IDs there. I did submit a change to Github's advisory DB in case it's there: github/advisory-database#666

@sebastian-philipp
Copy link

@sebastian-philipp I'm sorry

No worries. I'm just super grateful for you work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mher @tprynn @sebastian-philipp @magedhelmy1