CVE-2023-34110
LowCVSS 2.7Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
Flask-AppBuilder is an application development framework that prior to version 4.3.2 had a vulnerability allowing an authenticated attacker with Admin privileges to trigger a database error by adding a special character in the add or edit User forms. This error could expose the entire user row, including the pbkdf2:sha256 hashed password.
Risk Assessment
The organization may be at risk of exposing sensitive user data, including passwords, which could lead to unauthorized access to user accounts.
Recommendation
It is recommended to upgrade to version 4.3.2 or later to mitigate this vulnerability and review application security.
Original NVD description (English source)
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.

