GHSA-v988-828w-xvf2: 
Python vulnerability analysis and mitigation

A high-severity authentication bypass vulnerability was discovered in rucio-webui versions 1.26.0 through 1.26.6. The vulnerability was disclosed on October 21, 2021, and affects the authentication token workflow in the Rucio WebUI after its migration to FLASK as a backend. The issue is isolated to the webui component, with Rucio server and daemons remaining unaffected (GitHub Advisory).

The vulnerability stems from a cookie variable being defined as global within the wsgi_container, causing cookie contents to leak between sessions executed in close time proximity. This implementation flaw allows authentication tokens to be exposed across different user sessions within the wsgi container (Rucio Issue). The vulnerability is tracked as GHSA-v988-828w-xvf2 and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-305 (Authentication Bypass by Primary Weakness) (GitHub Advisory).

The vulnerability enables authentication tokens to leak to other users accessing the webui within a close timeframe, allowing unauthorized users to access the webui with leaked authentication tokens. This leads to privilege escalation, as users can potentially gain access to resources and permissions assigned to other users' accounts (GitHub Advisory).

The vulnerability has been patched in version 1.26.7 of rucio-webui. For users unable to update immediately, a workaround is available by installing the 1.25.7 webui release, as the 1.25 and previous webui release lines are not affected by this issue (GitHub Advisory).