CVE-2022-31177Sensitive Information Exposure in Flask-appbuilder

CWE-200Sensitive Information ExposureCWE-916Use of Password Hash With Insufficient Computational Effort5 documents4 sources
Severity
2.7LOWNVD
EPSS
0.3%
top 42.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Dpgaspar Flask-appbuilder
Timeline
PublishedAug 1

Description

Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. T

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

CVEListV5dpgaspar/flask-appbuilder< 4.1.3

🔴Vulnerability Details

4
OSV
CVE-2022-31177: Flask-AppBuilder is an application development framework built on top of Flask python framework2022-08-01
CVEList
Possible to infer sensitive information through query strings in Flask-AppBuilder2022-08-01
OSV
Flask-AppBuilder before v4.1.3 allows inference of sensitive information through query strings2022-07-29
GHSA
Flask-AppBuilder before v4.1.3 allows inference of sensitive information through query strings2022-07-29
CVE-2022-31177 — Sensitive Information Exposure | cvebase