Update dependency flask-appbuilder to v4 [SECURITY] (master) #126
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.3.0
->==4.5.1
GitHub Vulnerability Alerts
CVE-2021-29621
Impact
User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.
Patches
Upgrade to 3.3.0
For more information
If you have any questions or comments about this advisory:
CVE-2021-32805
Impact
If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability
Patches
Install Flask-AppBuilder 3.2.2 or above
Workarounds
Filter HTTP traffic containing
?next={next-site}
where thenext-site
domain is different from the application you are protectingCVE-2021-41265
Impact
Improper authentication on the REST API. Allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. Only affects non database authentication types, and new REST API endpoints.
Patches
Upgrade to Flask-AppBuilder 3.3.4
For more information
If you have any questions or comments about this advisory:
CVE-2022-21659
Impact
User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.
Patches
Upgrade to 3.4.4
Workarounds
References
For more information
If you have any questions or comments about this advisory:
CVE-2022-24776
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 3.4.5 contain an open redirect vulnerability when using the database authentication login page. There are no known workarounds. Users are recommended to upgrade to version 3.4.5 or later.
For more information
If you have any questions or comments about this advisory:
CVE-2022-31177
Impact
An authenticated Admin user could craft HTTP requests to filter users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users.
Only when using
AUTH_DB
database authentication option.Patches
Fixed on 4.1.3
For more information
If you have any questions or comments about this advisory:
CVE-2023-29005
Impact
Lack of rate limiting will allow an attacker to brute-force user credentials.
Patches
Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use
AUTH_RATE_LIMITED = True
andRATELIMIT_ENABLED = True
set the limit itself by usingAUTH_RATE_LIMIT
. Will apply only to database authentication.Workarounds
Implement rate limiting using a reverse proxy or other strategies.
CVE-2023-34110
Impact
An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password.
Patches
Fixed on 4.3.2
CVE-2024-25128
Impact
When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.
This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers.
Patches
Upgrade to Flask-AppBuilder 4.3.11
Workarounds
If upgrade is not possible add the following to your config:
CVE-2024-45314
Impact
Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.
Patches
Upgrade flask-appbuilder to version 4.5.1
Workarounds
If upgrading is not possible configure your web server to send the following HTTP headers for /login:
"Cache-Control": "no-store, no-cache, must-revalidate, max-age=0"
"Pragma": "no-cache"
"Expires": "0"
Release Notes
dpgaspar/flask-appbuilder (flask-appbuilder)
v4.5.1
Compare Source
v4.5.0
Compare Source
v4.4.1
Compare Source
v4.4.0
Compare Source
v4.3.11
Compare Source
v4.3.10
Compare Source
v4.3.9
Compare Source
v4.3.8
Compare Source
authlib
(#2112) [Daniel Wolf]v4.3.7
Compare Source
v4.3.6
Compare Source
v4.3.5
Compare Source
v4.3.4
Compare Source
v4.3.3
Compare Source
v4.3.2
Compare Source
v4.3.1
Compare Source
v4.3.0
Compare Source
v4.2.1
Compare Source
v4.2.0
Compare Source
v4.1.6
Compare Source
v4.1.5
Compare Source
v4.1.4
Compare Source
v4.1.3
Compare Source
v4.1.2
Compare Source
v4.1.1
Compare Source
v4.1.0
Compare Source
v4.0.0
Compare Source
[Breaking changes]
v3.4.5
Compare Source
export-roles --indent
's argument “duck casting” to int (#1811) [Étienne Boisseau-Sierra]export-roles
to be beautified (#1724) [Étienne Boisseau-Sierra]v3.4.4
Compare Source
v3.4.3
Compare Source
v3.4.2
Compare Source
v3.4.1
Compare Source
v3.4.0
Compare Source
v3.3.4
Compare Source
v3.3.3
Compare Source
v3.3.2
Compare Source
v3.3.1
Compare Source
self
reference for my_custom (#1651) [Marek Šuppa]v3.3.0
Compare Source
v3.2.3
Compare Source
v3.2.2
Compare Source
v3.2.1
Compare Source
v3.2.0
Compare Source
v3.1.1
Compare Source
v3.1.0
Compare Source
list's => lists
. (#1476)v3.0.1
Compare Source
v3.0.0
Compare Source
v2.3.4
Compare Source
v2.3.3
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.