{"id":"CVE-2021-43777","details":"Redash is a package for data visualization and sharing. In Redash version 10.0 and prior, the implementation of Google Login (via OAuth) incorrectly uses the `state` parameter to pass the next URL to redirect the user to after login. The `state` parameter should be used for a Cross-Site Request Forgery (CSRF) token, not a static and easily predicted value. This vulnerability does not affect users who do not use Google Login for their instance of Redash. A patch in the `master` and `release/10.x.x` branches addresses this by replacing `Flask-Oauthlib` with `Authlib` which automatically provides and validates a CSRF token for the state variable. The new implementation stores the next URL on the user session object. As a workaround, one may disable Google Login to mitigate the vulnerability.","modified":"2026-03-13T21:59:33.178789Z","published":"2021-11-24T16:15:14.257Z","related":["GHSA-vhc7-w7r8-8m34"],"references":[{"type":"ADVISORY","url":"https://github.com/getredash/redash/security/advisories/GHSA-vhc7-w7r8-8m34"},{"type":"FIX","url":"https://github.com/getredash/redash/commit/da696ff7f84787cbf85967460fac52886cbe063e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/getredash/redash","events":[{"introduced":"0"},{"last_affected":"9c928bd1d3f00c994f37e1a87edaddd646259f56"},{"fixed":"da696ff7f84787cbf85967460fac52886cbe063e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"10.0.0"}]}}],"versions":["0.7.0","v0.1.29","v0.1.30","v0.1.31","v0.1.32","v0.1.35","v0.1.45","v0.10.0.b1774","v0.11.0-rc","v0.11.0.b2016","v0.12.0.b2449","v0.2.58","v0.2.60","v0.2.62","v0.2.64","v0.2.70","v0.3.1+b85","v0.3.1+b91","v0.3.1+b93","v0.3.1+b96","v0.3.1+b98","v0.3.2+b101","v0.3.2+b105","v0.3.2+b106","v0.3.2+b108","v0.3.2+b111","v0.3.2+b113","v0.3.2+b115","v0.3.2+b122","v0.3.2+b124","v0.3.2+b126","v0.3.2+b130","v0.3.2+b131","v0.3.2+b132","v0.3.2+b134","v0.3.2+b137","v0.3.2+b138","v0.3.3+b139","v0.3.3+b149","v0.3.3+b152","v0.3.3+b154","v0.3.3+b155","v0.3.5+b158","v0.3.5+b161","v0.3.5+b162","v0.3.5+b169","v0.3.5+b170","v0.3.5+b173","v0.3.5+b175","v0.3.5+b185","v0.3.5+b186","v0.3.5+b201","v0.3.5+b207","v0.3.5+b210","v0.3.5+b212","v0.3.5+b217","v0.3.5+b219","v0.3.5+b222","v0.3.5+b223","v0.3.5+b227","v0.3.5+b232","v0.3.5+b235","v0.3.5+b237","v0.3.5+b238","v0.3.5+b250","v0.3.5+b264","v0.3.5+b271","v0.3.5+b279","v0.3.5+b281","v0.3.5+b287","v0.3.5+b293","v0.3.5+b299","v0.3.5+b304","v0.3.5+b306","v0.3.5+b311","v0.3.5+b314","v0.3.5+b316","v0.3.5+b317","v0.3.5+b320","v0.3.6+b322","v0.3.6+b327","v0.3.6+b328","v0.3.6+b330","v0.3.6+b332","v0.3.6+b334","v0.3.6+b336","v0.3.6+b339","v0.3.6+b341","v0.3.6+b343","v0.3.6+b346","v0.3.6+b349","v0.3.6+b352","v0.3.6+b354","v0.3.6+b359+b359","v0.3.6+b365","v0.3.6+b368","v0.3.6+b370","v0.3.6+b372","v0.3.6+b374","v0.3.6+b376","v0.3.6+b378","v0.3.6+b379","v0.3.7+b386","v0.3.7+b388","v0.4.0+b395","v0.4.0+b397","v0.4.0+b399","v0.4.0+b401","v0.4.0+b405","v0.4.0+b409","v0.4.0+b415","v0.4.0+b416","v0.4.0+b418","v0.4.0+b420","v0.4.0+b421","v0.4.0+b422","v0.4.0+b423","v0.4.0+b424","v0.4.0+b425","v0.4.0+b426","v0.4.0+b427","v0.4.0+b429","v0.4.0+b431","v0.4.0+b433","v0.4.0+b435","v0.4.0+b436","v0.4.0+b437","v0.4.0+b438","v0.4.0+b440","v0.4.0+b442","v0.4.0+b444","v0.4.0+b445","v0.4.0+b447","v0.4.0+b449","v0.4.0+b453","v0.4.0+b480","v0.4.0+b484","v0.4.0+b489","v0.4.0+b491","v0.4.0+b493","v0.4.0+b498","v0.4.0+b500","v0.4.0+b507","v0.4.0+b508","v0.4.0+b510","v0.4.0+b513","v0.4.0+b514","v0.4.0+b518","v0.4.0+b521","v0.4.0+b522","v0.4.0+b525","v0.4.0+b528","v0.4.0+b531","v0.4.0+b532","v0.4.0+b534","v0.4.0+b536","v0.4.0+b537","v0.4.0+b538","v0.4.0+b542","v0.4.0+b544","v0.4.0+b546","v0.4.0+b549","v0.4.0+b552","v0.4.0+b554","v0.4.0+b555","v0.4.0+b556","v0.4.0+b559","v0.4.0+b560","v0.4.0+b562","v0.4.0+b563","v0.4.0+b564","v0.4.0+b567","v0.4.0+b568","v0.4.0+b573","v0.4.0+b581","v0.4.0+b582","v0.4.0+b585","v0.4.0+b587","v0.4.0+b588","v0.4.0+b589","v0.4.0+b591","v0.4.0+b595","v0.4.0+b602","v0.4.0+b604","v0.4.0+b606","v0.4.0+b608","v0.4.0+b614","v0.4.0+b618","v0.4.0+b620","v0.4.0+b622","v0.4.0+b623","v0.4.0+b627","v0.4.0+b628","v0.4.0+b629","v0.4.0+b630","v0.4.0+b632","v0.4.0+b634","v0.4.0+b636","v0.4.0+b640","v0.4.0+b641","v0.5.0+b648","v0.5.0+b650","v0.5.0+b652","v0.5.0+b654","v0.5.0+b655","v0.5.0+b656","v0.5.0+b661","v0.5.0+b664","v0.5.0+b666","v0.5.0+b670","v0.5.0+b674","v0.5.0+b676","v0.5.0+b678","v0.5.0+b679","v0.5.0+b680","v0.5.0+b681","v0.5.0+b683","v0.5.0+b685","v0.5.0+b689","v0.5.0+b690","v0.5.0+b696","v0.6.0+b703","v0.6.0+b705","v0.6.0+b707","v0.6.0+b709","v0.6.0+b710","v0.6.0+b711","v0.6.0+b714","v0.6.0+b716","v0.6.0+b718","v0.6.0+b720","v0.6.0+b722","v0.6.0+b723","v0.6.0+b727","v0.6.0+b729","v0.6.0+b731","v0.6.0+b733","v0.6.0+b735","v0.6.0+b737","v0.6.0+b746","v0.6.0+b748","v0.6.0+b759","v0.6.0+b760","v0.6.0+b762","v0.6.0+b767","v0.6.0.b812","v0.6.1-rc","v0.6.1.b885","v0.6.2-rc","v0.6.2.b887","v0.6.3-rc","v0.6.3.b906","v0.6.4-rc","v0.7.0-rc","v0.7.1-rc","v0.7.1.b1015","v0.8.0-rc","v0.8.0.b1058","v0.8.1-rc","v0.8.1.b1110","v0.8.2-rc","v0.8.2.b1181","v0.8.3-rc","v0.8.3.b1192","v0.9.0-rc","v0.9.0.b1363","v0.9.1-rc","v0.9.1.b1377","v0.9.2-rc","v0.9.2.b1536","v1.0.0-rc.1","v1.0.0-rc.2","v1.0.1","v1.0.2","v1.0.3","v10.0.0","v10.0.0-beta","v2.0.0","v3.0.0","v4.0.0","v4.0.0-beta","v4.0.0-rc.1","v4.0.1","v5.0.0","v5.0.0-beta","v6.0.0-beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43777.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}