CVE-2024-25128

Name of the Vulnerable Software and Affected Versions Flask-AppBuilder versions prior to 4.3.11

Description The issue allows an attacker to forge an HTTP request, deceiving the backend into using any requested OpenID service when Flask-AppBuilder is set to AUTH TYPE AUTH OID. This could grant an attacker unauthorized privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. The vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol.

Recommendations For Flask-AppBuilder versions prior to 4.3.11, upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability. As a temporary workaround, if an upgrade is not possible, add the provided configuration changes to your code, specifically implementing the FixedOIDView and FixedSecurityManager classes to restrict the use of unauthorized OpenID services.