Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/flask-appbuilder@0.10.7
Typepypi
Namespace
Nameflask-appbuilder
Version0.10.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.5.3
Latest_non_vulnerable_version4.5.3
Affected_by_vulnerabilities
0
url VCID-7kd2-6yuh-9fe4
vulnerability_id VCID-7kd2-6yuh-9fe4
summary Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
2
reference_url https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
3
reference_url https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
4
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-21659
reference_id CVE-2022-21659
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-21659
7
reference_url https://github.com/advisories/GHSA-wfjw-w6pv-8p7f
reference_id GHSA-wfjw-w6pv-8p7f
reference_type
scores
url https://github.com/advisories/GHSA-wfjw-w6pv-8p7f
fixed_packages
0
url pkg:pypi/flask-appbuilder@3.4.2
purl pkg:pypi/flask-appbuilder@3.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-agw1-8rq2-nue5
1
vulnerability VCID-hg35-2qm4-b7h9
2
vulnerability VCID-k3kr-tvxd-73hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@3.4.2
1
url pkg:pypi/flask-appbuilder@3.4.4
purl pkg:pypi/flask-appbuilder@3.4.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-agw1-8rq2-nue5
1
vulnerability VCID-hg35-2qm4-b7h9
2
vulnerability VCID-k3kr-tvxd-73hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@3.4.4
aliases CVE-2022-21659, GHSA-wfjw-w6pv-8p7f, PYSEC-2022-24
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7kd2-6yuh-9fe4
1
url VCID-agw1-8rq2-nue5
vulnerability_id VCID-agw1-8rq2-nue5
summary Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc
fixed_packages
0
url pkg:pypi/flask-appbuilder@4.1.3
purl pkg:pypi/flask-appbuilder@4.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hg35-2qm4-b7h9
1
vulnerability VCID-k3kr-tvxd-73hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.1.3
aliases CVE-2022-31177, GHSA-32ff-4g79-vgfc, PYSEC-2022-247
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-agw1-8rq2-nue5
2
url VCID-hcrt-cr97-t3g5
vulnerability_id VCID-hcrt-cr97-t3g5
summary Flask-AppBuilder is an application development framework, built on top of Flask. In affected versions if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability. To resolve this issue upgrade to Flask-AppBuilder 3.2.2 or above. If upgrading is infeasible users may filter HTTP traffic containing `?next={next-site}` where the `next-site` domain is different from the application you are protecting as a workaround.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/commit/6af28521589599b1dbafd6313256229ee9a4fa74
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/commit/6af28521589599b1dbafd6313256229ee9a4fa74
2
reference_url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.2
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.2
3
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2021-359.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2021-359.yaml
5
reference_url https://pypi.org/project/Flask-AppBuilder
reference_id
reference_type
scores
url https://pypi.org/project/Flask-AppBuilder
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32805
reference_id CVE-2021-32805
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-32805
7
reference_url https://github.com/advisories/GHSA-624f-cqvr-3qw4
reference_id GHSA-624f-cqvr-3qw4
reference_type
scores
url https://github.com/advisories/GHSA-624f-cqvr-3qw4
fixed_packages
0
url pkg:pypi/flask-appbuilder@3.3.2
purl pkg:pypi/flask-appbuilder@3.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7kd2-6yuh-9fe4
1
vulnerability VCID-agw1-8rq2-nue5
2
vulnerability VCID-hg35-2qm4-b7h9
3
vulnerability VCID-k3kr-tvxd-73hx
4
vulnerability VCID-q16k-8utn-vfgp
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@3.3.2
aliases CVE-2021-32805, GHSA-624f-cqvr-3qw4, PYSEC-2021-359
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hcrt-cr97-t3g5
3
url VCID-hg35-2qm4-b7h9
vulnerability_id VCID-hg35-2qm4-b7h9
summary Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp
fixed_packages
0
url pkg:pypi/flask-appbuilder@4.5.3
purl pkg:pypi/flask-appbuilder@4.5.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.5.3
aliases CVE-2025-24023, GHSA-p8q5-cvwx-wvwp, PYSEC-2025-15
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hg35-2qm4-b7h9
4
url VCID-k3kr-tvxd-73hx
vulnerability_id VCID-k3kr-tvxd-73hx
summary Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626
2
reference_url https://github.com/dpgaspar/Flask-AppBuilder/pull/2045
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/pull/2045
3
reference_url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2
4
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34110
reference_id CVE-2023-34110
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-34110
7
reference_url https://github.com/advisories/GHSA-jhpr-j7cq-3jp3
reference_id GHSA-jhpr-j7cq-3jp3
reference_type
scores
url https://github.com/advisories/GHSA-jhpr-j7cq-3jp3
fixed_packages
0
url pkg:pypi/flask-appbuilder@4.3.2
purl pkg:pypi/flask-appbuilder@4.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hg35-2qm4-b7h9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.3.2
aliases CVE-2023-34110, GHSA-jhpr-j7cq-3jp3, PYSEC-2023-94
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k3kr-tvxd-73hx
5
url VCID-q16k-8utn-vfgp
vulnerability_id VCID-q16k-8utn-vfgp
summary Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/commit/eba517aab121afa3f3f2edb011ec6bc4efd61fbc
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/commit/eba517aab121afa3f3f2edb011ec6bc4efd61fbc
2
reference_url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.4
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.4
3
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2021-851.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2021-851.yaml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-41265
reference_id CVE-2021-41265
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-41265
6
reference_url https://github.com/advisories/GHSA-m3rf-7m4w-r66q
reference_id GHSA-m3rf-7m4w-r66q
reference_type
scores
url https://github.com/advisories/GHSA-m3rf-7m4w-r66q
fixed_packages
0
url pkg:pypi/flask-appbuilder@3.3.4
purl pkg:pypi/flask-appbuilder@3.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7kd2-6yuh-9fe4
1
vulnerability VCID-agw1-8rq2-nue5
2
vulnerability VCID-hg35-2qm4-b7h9
3
vulnerability VCID-k3kr-tvxd-73hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@3.3.4
aliases CVE-2021-41265, GHSA-m3rf-7m4w-r66q, PYSEC-2021-851
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q16k-8utn-vfgp
6
url VCID-v1vh-ycet-23ec
vulnerability_id VCID-v1vh-ycet-23ec
summary Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89
2
reference_url https://pypi.org/project/Flask-AppBuilder/
reference_id
reference_type
scores
url https://pypi.org/project/Flask-AppBuilder/
fixed_packages
0
url pkg:pypi/flask-appbuilder@3.3.0
purl pkg:pypi/flask-appbuilder@3.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7kd2-6yuh-9fe4
1
vulnerability VCID-agw1-8rq2-nue5
2
vulnerability VCID-hcrt-cr97-t3g5
3
vulnerability VCID-hg35-2qm4-b7h9
4
vulnerability VCID-k3kr-tvxd-73hx
5
vulnerability VCID-q16k-8utn-vfgp
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@3.3.0
aliases CVE-2021-29621, GHSA-434h-p4gx-jm89, PYSEC-2021-90
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v1vh-ycet-23ec
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@0.10.7