CVE-2022-31177

Name of the Vulnerable Software and Affected Versions Flask-AppBuilder versions prior to 4.1.3

Description An authenticated Admin user could query other users by their salted and hashed passwords strings, using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue is specific to the AUTH DB database authentication option.

Recommendations For versions prior to 4.1.3, upgrade to version 4.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the user query functionality to minimize the risk of exploitation. Avoid using the AUTH DB database authentication option until the issue is resolved.