flask-appbuilder 4.1.5rc1 vulnerabilities

Known vulnerabilities in the flask-appbuilder package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Information Exposure Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Affected versions of this package are vulnerable to Information Exposure due to observable response discrepancies. This vulnerability allows unauthenticated attackers to determine existing usernames by measuring server response times during login attempts. How to fix Information Exposure? Upgrade `Flask-AppBuilder` to version 4.5.3 or higher.	[,4.5.3)
M Information Exposure Through Browser Caching Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Affected versions of this package are vulnerable to Information Exposure Through Browser Caching due to the default cache directives of the auth DB login form, allowing sensitive data to be stored locally by the browser. An attacker can access the sensitive data stored locally by exploiting shared computer environments. How to fix Information Exposure Through Browser Caching? Upgrade `Flask-AppBuilder` to version 4.5.1 or higher.	[,4.5.1)
M Cross-site Scripting (XSS) Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page, which could inject and execute malicious javascript code that would get executed on the user's browser. How to fix Cross-site Scripting (XSS)? Upgrade `Flask-AppBuilder` to version 4.2.1 or higher.	[4.1.4,4.2.1)
H Improper Authentication Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Affected versions of this package are vulnerable to Improper Authentication due to incorrect authentication handling when using the `AUTH_OID` auth type. An attacker can forge an HTTP request to deceive the backend into using any requested OpenID service, potentially granting unauthorized privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. Note: This is only exploitable when the application uses the old OpenID 2.0 authorization protocol, which is considered legacy and has been deprecated for over a decade. How to fix Improper Authentication? Upgrade `Flask-AppBuilder` to version 4.3.11 or higher.	[,4.3.11)
L Information Exposure Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Affected versions of this package are vulnerable to Information Exposure such that an authenticated malicious actor with Admin privileges, can edit User forms and trigger a database error. On certain database engines, this error can include the entire user row including the `pbkdf2:sha256` hashed password. How to fix Information Exposure? Upgrade `Flask-AppBuilder` to version 4.3.2 or higher.	[,4.3.2)
H Brute Force Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Affected versions of this package are vulnerable to Brute Force due to the lack of rate limiting which will allow an attacker to obtain user credentials. How to fix Brute Force? Upgrade `Flask-AppBuilder` to version 4.3.0 or higher.	[,4.3.0)

Vulnerability

Vulnerable Version

Information Exposure

Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Affected versions of this package are vulnerable to Information Exposure due to observable response discrepancies. This vulnerability allows unauthenticated attackers to determine existing usernames by measuring server response times during login attempts.

How to fix Information Exposure?

Upgrade Flask-AppBuilder to version 4.5.3 or higher.

[,4.5.3)

Information Exposure Through Browser Caching

Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Affected versions of this package are vulnerable to Information Exposure Through Browser Caching due to the default cache directives of the auth DB login form, allowing sensitive data to be stored locally by the browser. An attacker can access the sensitive data stored locally by exploiting shared computer environments.

How to fix Information Exposure Through Browser Caching?

Upgrade Flask-AppBuilder to version 4.5.1 or higher.

[,4.5.1)

Cross-site Scripting (XSS)

Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page, which could inject and execute malicious javascript code that would get executed on the user's browser.

How to fix Cross-site Scripting (XSS)?

Upgrade Flask-AppBuilder to version 4.2.1 or higher.

[4.1.4,4.2.1)

Improper Authentication

Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Affected versions of this package are vulnerable to Improper Authentication due to incorrect authentication handling when using the AUTH_OID auth type. An attacker can forge an HTTP request to deceive the backend into using any requested OpenID service, potentially granting unauthorized privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.

Note:

This is only exploitable when the application uses the old OpenID 2.0 authorization protocol, which is considered legacy and has been deprecated for over a decade.

How to fix Improper Authentication?

Upgrade Flask-AppBuilder to version 4.3.11 or higher.

[,4.3.11)

Information Exposure

Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Affected versions of this package are vulnerable to Information Exposure such that an authenticated malicious actor with Admin privileges, can edit User forms and trigger a database error. On certain database engines, this error can include the entire user row including the pbkdf2:sha256 hashed password.

How to fix Information Exposure?

Upgrade Flask-AppBuilder to version 4.3.2 or higher.

[,4.3.2)

Brute Force

Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Affected versions of this package are vulnerable to Brute Force due to the lack of rate limiting which will allow an attacker to obtain user credentials.

How to fix Brute Force?

Upgrade Flask-AppBuilder to version 4.3.0 or higher.

[,4.3.0)

flask-appbuilder@4.1.5rc1 vulnerabilities

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?