Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
Vulnerability Description
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
认证机制不恰当
Vulnerability Title
Flask App Builder 授权问题漏洞
Vulnerability Description
Flask App Builder是Daniel Vaz Gaspar个人开发者的一个简单快速的应用程序开发框架。 Flask App Builder 4.8.1之前版本存在授权问题漏洞,该漏洞源于使用非数据库身份验证方法时未禁用密码重置功能,可能导致已禁用用户创建JWT令牌。
CVSS Information
N/A
Vulnerability Type
N/A