Lucene search

Veracode Vulnerability DatabaseVERACODE:41093

HistoryJun 30, 2023 - 12:43 p.m.

Information Disclosure

2023-06-3012:43:44

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

flask_appbuilder

information disclosure

interface.py

crud

admin attacker

sensitive user information

hashed passwords

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

38.0%

JSON

flask_appbuilder is vulnerable to Information Disclosure. The vulnerability exists in the crud operator functions in interface.py due to log messages which are not properly sanitized during database errors, allowing an admin authenticated attacker to gain access to sensitive user information such as the hashed passwords.

CPENameOperatorVersion
flask-appbuilderle4.3.2rc2
flask-appbuilderle4.3.2rc2

CPE	Name	Operator	Version
	flask-appbuilder	le	4.3.2rc2
	flask-appbuilder	le	4.3.2rc2

References

github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626

github.com/dpgaspar/Flask-AppBuilder/pull/2045

github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2

github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

38.0%

JSON

Related for VERACODE:41093