Lucene search

GitHub Advisory DatabaseGHSA-JHPR-J7CQ-3JP3

HistoryJun 22, 2023 - 7:59 p.m.

Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error

2023-06-2219:59:03

CWE-209

GitHub Advisory Database

github.com

flask-appbuilder

sensitive information

disclosure

vulnerability

admin privileges

database error

pbkdf2:sha256

password

patch

software

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

38.0%

JSON

Impact

An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password.

Patches

Fixed on 4.3.2

Affected configurations

Vulners

Node

flaskappbuilderRange<4.3.2

CPENameOperatorVersion
flask-appbuilderlt4.3.2

CPE	Name	Operator	Version
	flask-appbuilder	lt	4.3.2

References

github.com/advisories/GHSA-jhpr-j7cq-3jp3

github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626

github.com/dpgaspar/Flask-AppBuilder/pull/2045

github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2

github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3

github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml

nvd.nist.gov/vuln/detail/CVE-2023-34110

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

38.0%

JSON

Related for GHSA-JHPR-J7CQ-3JP3