Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/flask-appbuilder@4.1.0
Typepypi
Namespace
Nameflask-appbuilder
Version4.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.5.3
Latest_non_vulnerable_version4.5.3
Affected_by_vulnerabilities
0
url VCID-agw1-8rq2-nue5
vulnerability_id VCID-agw1-8rq2-nue5
summary Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc
fixed_packages
0
url pkg:pypi/flask-appbuilder@4.1.3
purl pkg:pypi/flask-appbuilder@4.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hg35-2qm4-b7h9
1
vulnerability VCID-k3kr-tvxd-73hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.1.3
aliases CVE-2022-31177, GHSA-32ff-4g79-vgfc, PYSEC-2022-247
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-agw1-8rq2-nue5
1
url VCID-hg35-2qm4-b7h9
vulnerability_id VCID-hg35-2qm4-b7h9
summary Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp
fixed_packages
0
url pkg:pypi/flask-appbuilder@4.5.3
purl pkg:pypi/flask-appbuilder@4.5.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.5.3
aliases CVE-2025-24023, GHSA-p8q5-cvwx-wvwp, PYSEC-2025-15
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hg35-2qm4-b7h9
2
url VCID-k3kr-tvxd-73hx
vulnerability_id VCID-k3kr-tvxd-73hx
summary Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.
references
0
reference_url https://github.com/dpgaspar/Flask-AppBuilder
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder
1
reference_url https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626
2
reference_url https://github.com/dpgaspar/Flask-AppBuilder/pull/2045
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/pull/2045
3
reference_url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2
4
reference_url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3
reference_id
reference_type
scores
url https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34110
reference_id CVE-2023-34110
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-34110
7
reference_url https://github.com/advisories/GHSA-jhpr-j7cq-3jp3
reference_id GHSA-jhpr-j7cq-3jp3
reference_type
scores
url https://github.com/advisories/GHSA-jhpr-j7cq-3jp3
fixed_packages
0
url pkg:pypi/flask-appbuilder@4.3.2
purl pkg:pypi/flask-appbuilder@4.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hg35-2qm4-b7h9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.3.2
aliases CVE-2023-34110, GHSA-jhpr-j7cq-3jp3, PYSEC-2023-94
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k3kr-tvxd-73hx
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.1.0