Search for packages
| purl | pkg:pypi/flask-appbuilder@4.3.2rc1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-cefr-t1w9-9yck
Aliases: CVE-2023-34110 GHSA-jhpr-j7cq-3jp3 PYSEC-2023-94 |
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2. |
Affected by 5 other vulnerabilities. |
|
VCID-cezb-crna-wbgc
Aliases: CVE-2025-24023 GHSA-p8q5-cvwx-wvwp PYSEC-2025-15 |
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3. |
Affected by 2 other vulnerabilities. |
|
VCID-cvdh-9e2n-fbe5
Aliases: CVE-2024-25128 GHSA-j2pw-vp55-fqqj |
Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID ### Impact When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers. ### Patches Upgrade to Flask-AppBuilder 4.3.11 ### Workarounds If upgrade is not possible add the following to your config: ``` from flask import flash, redirect from flask_appbuilder import expose from flask_appbuilder.security.sqla.manager import SecurityManager from flask_appbuilder.security.views import AuthOIDView from flask_appbuilder.security.forms import LoginForm_oid basedir = os.path.abspath(os.path.dirname(__file__)) class FixedOIDView(AuthOIDView): @expose("/login/", methods=["GET", "POST"]) def login(self, flag=True): form = LoginForm_oid() if form.validate_on_submit(): identity_url = None for provider in self.appbuilder.sm.openid_providers: if provider.get("url") == form.openid.data: identity_url = form.openid.data if identity_url is None: flash(self.invalid_login_message, "warning") return redirect(self.appbuilder.get_url_for_login) return super().login(flag=flag) class FixedSecurityManager(SecurityManager): authoidview = FixedOIDView FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager" ``` |
Affected by 4 other vulnerabilities. |
|
VCID-puft-harf-r3dr
Aliases: CVE-2025-58065 GHSA-765j-9r45-w2q2 |
Affected by 0 other vulnerabilities. |
|
|
VCID-skmv-ftq7-myep
Aliases: CVE-2024-45314 GHSA-fw5r-6m3x-rh7p |
Affected by 3 other vulnerabilities. |
|
|
VCID-xr2g-amfq-uygy
Aliases: CVE-2025-32962 GHSA-99pm-ch96-ccp2 |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||