5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24880

GHSA ID

GHSA-7r87-cj48-wj45

EPSS Score

0.46832%

CWE

CWE-253

Published

4/26/2022

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24880

CVE-2022-24880:
Potential Captcha Validate Bypass in flask-session-captcha

Impact

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session.

The captcha.validate() function would return None if passed no value (e.g. by submitting a request with an empty form).

If implementing users were checking the return value to be False, the captcha verification check could be bypassed.

Sample vulnerable code:

if captcha.validate() == False:
    ... # abort
else:
   ... # do stuff

Patches

A new version (1.2.1) is available that fixes the issue.

Workarounds

Users can workaround the issue by not explicitly checking that the value is False.

Checking the return value less explicitly should still work.

if not captcha.validate():
    ... # abort
else:
   ... # do stuff

if captcha.validate():
    ... # do stuff
else:
   ... # abort

References

https://github.com/Tethik/flask-session-captcha/pull/27

For more information

If you have any questions or comments about this advisory:

Open an issue in the github repo

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24880

GHSA ID

GHSA-7r87-cj48-wj45

EPSS Score

0.46832%

CWE

CWE-253

Published

4/26/2022

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flask-session-captcha	pip	< 1.2.1	1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from validate() returning None instead of False for empty inputs. This is explicitly shown in the advisory's impact description, patch commit tests (which added checks for validate(value=None) == False), and CWE-253 (Incorrect Check of Return Value). The function's return value handling is the root cause of the bypass vulnerability when improperly checked.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *l*sk-s*ssion-**pt*** is * p**k*** w*i** *llows us*rs to *xt*n* *l*sk *y ***in* *n im*** **s** **pt*** stor** in * s*rv*r si** s*ssion. T** `**pt***.v*li**t*()` *un*tion woul* r*turn `Non*` i* p*ss** no v*lu* (*.*. *y su*mittin* * r*qu*st

Reasoning

T** vuln*r**ility st*ms *rom v*li**t*() r*turnin* Non* inst*** o* **ls* *or *mpty inputs. T*is is *xpli*itly s*own in t** **visory's imp**t **s*ription, p*t** *ommit t*sts (w*i** ***** ****ks *or v*li**t*(v*lu*=Non*) == **ls*), *n* *W*-*** (In*orr**t

5.3

Basic Information

Concerned about an active attack path?

CVE-2022-24880: Potential Captcha Validate Bypass in flask-session-captcha

Impact

Patches

Workarounds

References

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24880:
Potential Captcha Validate Bypass in flask-session-captcha

Vulnerability Intelligence
Miggo AI