Headline
GHSA-jhpr-j7cq-3jp3: Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error
Impact
An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password.
Patches
Fixed on 4.3.2
Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error
Low severity GitHub Reviewed Published Jun 22, 2023 in dpgaspar/Flask-AppBuilder • Updated Jun 22, 2023
Related news
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.