Information Exposure Affecting flask-appbuilder package, versions [,4.1.3)
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-PYTHON-FLASKAPPBUILDER-2964179
-
published
31 Jul 2022
-
disclosed
29 Jul 2022
-
credit
Unknown
Introduced: 29 Jul 2022
New CVE-2022-31177 Open this link in a new tabHow to fix?
Upgrade Flask-AppBuilder
to version 4.1.3 or higher.
Overview
Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.
Affected versions of this package are vulnerable to Information Exposure by revealing partial password hashes using crafted HTTP requests that filter users by the contents of their salted hashed password strings.
NOTE:
This vulnerability is exploitable only when the AUTH_DB
option is in use.