Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client
Vulnerability Description
Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Vulnerability Type
认证机制不恰当
Vulnerability Title
Flask-HTTPAuth 授权问题漏洞
Vulnerability Description
Flask-HTTPAuth是Miguel Grinberg个人开发者的一个Flask框架的HTTP认证扩展。 Flask-HTTPAuth 4.8.1之前版本存在授权问题漏洞,该漏洞源于当客户端向受令牌保护的资源发出请求而未传递令牌或传递空令牌时,会以空字符串作为令牌参数调用应用程序的令牌验证回调函数,可能导致针对数据库中令牌为空字符串的任何用户对客户端请求进行身份验证。
CVSS Information
N/A
Vulnerability Type
N/A