GHSA-7R87-CJ48-WJ45

Vulnerability from github – Published: 2022-04-26 21:19 – Updated: 2024-09-20 21:03
VLAI?
Summary
Potential Captcha Validate Bypass in flask-session-captcha
Details

Impact

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session.

The captcha.validate() function would return None if passed no value (e.g. by submitting a request with an empty form).

If implementing users were checking the return value to be False, the captcha verification check could be bypassed.

Sample vulnerable code:

if captcha.validate() == False:
    ... # abort
else:
   ... # do stuff

Patches

A new version (1.2.1) is available that fixes the issue.

Workarounds

Users can workaround the issue by not explicitly checking that the value is False.

Checking the return value less explicitly should still work. 

if not captcha.validate():
    ... # abort
else:
   ... # do stuff

if captcha.validate():
    ... # do stuff
else:
   ... # abort

References

https://github.com/Tethik/flask-session-captcha/pull/27

For more information

If you have any questions or comments about this advisory: * Open an issue in the github repo

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask-session-captcha"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-253",
      "CWE-394",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-26T21:19:52Z",
    "nvd_published_at": "2022-04-25T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nflask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session.\n\nThe `captcha.validate()` function would return `None` if passed no value (e.g. by submitting a request with an empty form).\n\nIf implementing users were checking the return value to be **False**, the captcha verification check could be bypassed.\n\nSample vulnerable code:\n```python\nif captcha.validate() == False:\n    ... # abort\nelse:\n   ... # do stuff\n```\n\n### Patches\nA new version (1.2.1) is available that fixes the issue.\n\n### Workarounds\nUsers can workaround the issue by not explicitly checking that the value is False. \n\nChecking the return value less explicitly should still work. \n\n```python\nif not captcha.validate():\n    ... # abort\nelse:\n   ... # do stuff\n```\n\n```python\nif captcha.validate():\n    ... # do stuff\nelse:\n   ... # abort\n```\n\n### References\nhttps://github.com/Tethik/flask-session-captcha/pull/27\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the github repo](https://github.com/Tethik/flask-session-captcha)\n",
  "id": "GHSA-7r87-cj48-wj45",
  "modified": "2024-09-20T21:03:06Z",
  "published": "2022-04-26T21:19:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tethik/flask-session-captcha/pull/27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Tethik/flask-session-captcha"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-session-captcha/PYSEC-2022-193.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Potential Captcha Validate Bypass in flask-session-captcha"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.