Veracode Vulnerability DatabaseVERACODE:45684Authentication Bypass
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
flask_appbuilder is vulnerable to Authentication Bypass. The vulnerability is due to the manipulation of authentication requests to deceive the backend into utilizing any specified OpenID service, which allows an attacker to forge an HTTP request to gain unauthorized privileged access. Note that this vulnerability is only exploitable if the AUTH_TYPE is set to AUTH_OID.
| CPE | Name | Operator | Version |
|---|---|---|---|
| flask-appbuilder | le | 4.3.11rc1 | |
| flask-appbuilder | le | 4.3.11rc1 |
References
github.com/advisories/GHSA-j2pw-vp55-fqqj
github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8#diff-42dfd08d1fbdacf6045623e6c235b26b9070e967f0bc0f5f973a44c72e13dafe
github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%