Improper Authentication Affecting flask-appbuilder package, versions [,4.3.11)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-FLASKAPPBUILDER-6305197
- published 29 Feb 2024
- disclosed 28 Feb 2024
- credit Daniel Vaz Gaspar
Introduced: 28 Feb 2024
CVE-2024-25128 Open this link in a new tabHow to fix?
Upgrade Flask-AppBuilder to version 4.3.11 or higher.
Overview
Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.
Affected versions of this package are vulnerable to Improper Authentication due to incorrect authentication handling when using the AUTH_OID auth type. An attacker can forge an HTTP request to deceive the backend into using any requested OpenID service, potentially granting unauthorized privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.
Note:
This is only exploitable when the application uses the old OpenID 2.0 authorization protocol, which is considered legacy and has been deprecated for over a decade.
Workaround
This vulnerability can be mitigated by adding a specific configuration to the application's config. This involves defining a FixedOIDView and a FixedSecurityManager class to properly validate OpenID providers.