Search for packages
| purl | pkg:pypi/flask-appbuilder@3.3.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7ek6-k8zm-97g4
Aliases: CVE-2023-29005 GHSA-9hcr-9hcv-x6pv |
Flask-AppBuilder Has No Rate Limiting on Login AUTH DB Lack of rate limiting will allow an attacker to brute-force user credentials. |
Affected by 6 other vulnerabilities. |
|
VCID-7kd2-6yuh-9fe4
Aliases: CVE-2022-21659 GHSA-wfjw-w6pv-8p7f PYSEC-2022-24 |
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue. |
Affected by 10 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-8zwq-xg8n-q7g9
Aliases: CVE-2025-32962 GHSA-99pm-ch96-ccp2 |
Flask-AppBuilder open redirect vulnerability using HTTP host injection Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. |
Affected by 1 other vulnerability. |
|
VCID-agw1-8rq2-nue5
Aliases: CVE-2022-31177 GHSA-32ff-4g79-vgfc GMS-2022-3340 PYSEC-2022-247 |
Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 7 other vulnerabilities. |
|
VCID-hg35-2qm4-b7h9
Aliases: CVE-2025-24023 GHSA-p8q5-cvwx-wvwp PYSEC-2025-15 |
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3. |
Affected by 2 other vulnerabilities. |
|
VCID-k3kr-tvxd-73hx
Aliases: CVE-2023-34110 GHSA-jhpr-j7cq-3jp3 PYSEC-2023-94 |
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2. |
Affected by 5 other vulnerabilities. |
|
VCID-nc2g-v8pn-nqcy
Aliases: CVE-2024-25128 GHSA-j2pw-vp55-fqqj |
Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID ### Impact When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers. ### Patches Upgrade to Flask-AppBuilder 4.3.11 ### Workarounds If upgrade is not possible add the following to your config: ``` from flask import flash, redirect from flask_appbuilder import expose from flask_appbuilder.security.sqla.manager import SecurityManager from flask_appbuilder.security.views import AuthOIDView from flask_appbuilder.security.forms import LoginForm_oid basedir = os.path.abspath(os.path.dirname(__file__)) class FixedOIDView(AuthOIDView): @expose("/login/", methods=["GET", "POST"]) def login(self, flag=True): form = LoginForm_oid() if form.validate_on_submit(): identity_url = None for provider in self.appbuilder.sm.openid_providers: if provider.get("url") == form.openid.data: identity_url = form.openid.data if identity_url is None: flash(self.invalid_login_message, "warning") return redirect(self.appbuilder.get_url_for_login) return super().login(flag=flag) class FixedSecurityManager(SecurityManager): authoidview = FixedOIDView FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager" ``` |
Affected by 4 other vulnerabilities. |
|
VCID-q16k-8utn-vfgp
Aliases: CVE-2021-41265 GHSA-m3rf-7m4w-r66q PYSEC-2021-851 |
Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch. |
Affected by 10 other vulnerabilities. |
|
VCID-swdd-djht-pbbh
Aliases: CVE-2024-45314 GHSA-fw5r-6m3x-rh7p |
Flask-AppBuilder's login form allows browser to cache sensitive fields Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. |
Affected by 3 other vulnerabilities. |
|
VCID-t22u-emet-kugw
Aliases: CVE-2022-24776 GHSA-2ccw-7px8-vmpf |
URL Redirection to Untrusted Site ('Open Redirect') Flask-AppBuilder is an application development framework, built on top of the Flask web framework. Flask-AppBuilder contains an open redirect vulnerability when using database authentication login page on versions below 3.4.5. This issue is fixed in version 3.4.5. There are currently no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-t897-gphs-wugu
Aliases: CVE-2025-58065 GHSA-765j-9r45-w2q2 |
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||