CVE-2023-34110 LOW

CVE-2023-34110: Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error

Vendor Dpgaspar
Product Flask-AppBuilder
Weakness CWE-209 · Error message info leak
Published June 22, 2023
Last update December 6, 2024

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.

Key dates

02Disclosure timeline

June 22, 2023 CVE published
December 6, 2024 Record updated