Lucene search

[email protected]CVE-2021-41265

HistoryDec 09, 2021 - 5:15 p.m.

CVE-2021-41265

2021-12-0917:15:07

CWE-287

[email protected]

web.nvd.nist.gov

cve-2021-41265

flask-appbuilder

development framework

improper authentication vulnerability

rest api

security patch

nvd

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.1%

JSON

Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch.

Affected configurations

Vulners

NVD

Node

dpgasparflask_appbuilderRange<3.3.4

CPENameOperatorVersion
flask-appbuilder_project:flask-appbuilderflask-appbuilder project flask-appbuilderlt3.3.4

CPE	Name	Operator	Version
flask-appbuilder_project:flask-appbuilder	flask-appbuilder project flask-appbuilder	lt	3.3.4

CNA Affected

[
  {
    "product": "Flask-AppBuilder",
    "vendor": "dpgaspar",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.3.4"
      }
    ]
  }
]