CVE-2023-34110

2023-06-2223:15:09

CWE-209

[email protected]

web.nvd.nist.gov

flask-appbuilder

framework

security

vulnerability

database error

user

hashed password

cve-2023-34110

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

3.5 Low

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.1%

JSON

Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.

Affected configurations

Vulners

NVD

Node

dpgasparflask_appbuilderRange<4.3.2

CPENameOperatorVersion
flask-appbuilder_project:flask-appbuilderflask-appbuilder project flask-appbuilderlt4.3.2

CPE	Name	Operator	Version
flask-appbuilder_project:flask-appbuilder	flask-appbuilder project flask-appbuilder	lt	4.3.2

CNA Affected

[
  {
    "vendor": "dpgaspar",
    "product": "Flask-AppBuilder",
    "versions": [
      {
        "version": "< 4.3.2",
        "status": "affected"
      }
    ]
  }
]