CVE-2022-31177

Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:flask-appbuilder_project:flask-appbuilder:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:04

Type Values Removed Values Added
References () https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3 - Release Notes, Third Party Advisory () https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3 - Release Notes, Third Party Advisory
References () https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc - Third Party Advisory () https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc - Third Party Advisory

24 Jul 2023, 13:08

Type Values Removed Values Added
CWE CWE-916 NVD-CWE-Other

Information

Published : 2022-08-01 19:15

Updated : 2024-11-21 07:04


NVD link : CVE-2022-31177

Mitre link : CVE-2022-31177

CVE.ORG link : CVE-2022-31177


JSON object : View

Products Affected

flask-appbuilder_project

  • flask-appbuilder
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-Other