CVE Catalog

CVE-2023-34110

LowCVSS 2.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.54%

41th percentile — higher than 41% of all known CVEs

Summary

Flask-AppBuilder is an application development framework that prior to version 4.3.2 had a vulnerability allowing an authenticated attacker with Admin privileges to trigger a database error by adding a special character in the add or edit User forms. This error could expose the entire user row, including the pbkdf2:sha256 hashed password.

Risk Assessment

The organization may be at risk of exposing sensitive user data, including passwords, which could lead to unauthorized access to user accounts.

Recommendation

It is recommended to upgrade to version 4.3.2 or later to mitigate this vulnerability and review application security.

Original NVD description (English source)

Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS