CVE-2022-31177 LOW

CVE-2022-31177: Possible to infer sensitive information through query strings in Flask-AppBuilder

Vendor Dpgaspar

Product Flask-AppBuilder

Weakness CWE-200 · Info exposure

Published August 1, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

2.7/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

August 1, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-31177 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2022-31177: Possible to infer sensitive information through query strings in Flask-AppBuilder

01Description

02Disclosure timeline

03References

04Related CVE