Access Restriction Bypass Affecting flower package, versions [,1.2.0)

Exploit Maturity

Proof of concept
Attack Complexity

Low
Scope

Changed
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-PYTHON-FLOWER-2858331
published

3 Jun 2022
disclosed

3 Jun 2022
credit

Tanner Prynn (@tprynn)

Report a new vulnerability Found a mistake?

Introduced: 3 Jun 2022

CVE-2022-30034 Open this link in a new tab CWE-284 Open this link in a new tab

How to fix?

Upgrade flower to version 1.2.0 or higher.

Overview

Affected versions of this package are vulnerable to Access Restriction Bypass due to an OAuth authentication bypass. An attacker could access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.

References

GitHub Commit
GitHub Issue
GitHub PR
GitHub PR
Write Up

Access Restriction Bypass Affecting flower package, versions [,1.2.0)

Exploit Maturity

Attack Complexity

Scope

Availability

snyk-id

published

disclosed

credit

Introduced: 3 Jun 2022

How to fix?

Overview

References