PT-2021-23226 · Unknown · Flask-Appbuilder

Dpgaspar

Published

2021-12-09

Updated

2021-12-15

CVE-2021-41265

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Flask-AppBuilder versions prior to 3.3.4

Description The issue is related to improper authentication in the REST API, allowing a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non-database authentication types and new REST API endpoints.

Recommendations For versions prior to 3.3.4, upgrade to Flask-AppBuilder 3.3.4 to receive a patch. As a temporary workaround, consider restricting access to new REST API endpoints until the issue is resolved.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2021-41265

GHSA-M3RF-7M4W-R66Q

PYSEC-2021-851

Affected Products

Flask-Appbuilder

PT-2021-23226 · Unknown · Flask-Appbuilder

CVE-2021-41265

Weakness Enumeration

Related Identifiers

Affected Products

References · 10