Improper Authentication Affecting flask-appbuilder package, versions [,4.3.11)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authentication vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-FLASKAPPBUILDER-6305197
  • published29 Feb 2024
  • disclosed28 Feb 2024
  • creditDaniel Vaz Gaspar

Introduced: 28 Feb 2024

CVE-2024-25128  (opens in a new tab)
CWE-287  (opens in a new tab)

How to fix?

Upgrade Flask-AppBuilder to version 4.3.11 or higher.

Overview

Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Affected versions of this package are vulnerable to Improper Authentication due to incorrect authentication handling when using the AUTH_OID auth type. An attacker can forge an HTTP request to deceive the backend into using any requested OpenID service, potentially granting unauthorized privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.

Note:

This is only exploitable when the application uses the old OpenID 2.0 authorization protocol, which is considered legacy and has been deprecated for over a decade.

Workaround

This vulnerability can be mitigated by adding a specific configuration to the application's config. This involves defining a FixedOIDView and a FixedSecurityManager class to properly validate OpenID providers.

References

CVSS Scores

version 3.1