search

VernonCo / ps_utils

Promostandards utilities -- Public repository for accessing PS services
1 stars 0 forks source link

CVE-2021-32805 (Medium) detected in Flask_AppBuilder-2.3.0-py3-none-any.whl - autoclosed #105

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2021-32805 - Medium Severity Vulnerability

Vulnerable Library - Flask_AppBuilder-2.3.0-py3-none-any.whl

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.

Library home page: https://files.pythonhosted.org/packages/db/9f/7f6d449352ba94b938b10bcde22b2667b63576c63ce7df505d5032ac5627/Flask_AppBuilder-2.3.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **Flask_AppBuilder-2.3.0-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 44945ea6e6cd2bd79b768e2d8563dc597b61c6d0

Vulnerability Details

Flask-AppBuilder is an application development framework, built on top of Flask. In affected versions if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability. To resolve this issue upgrade to Flask-AppBuilder 3.2.2 or above. If upgrading is infeasible users may filter HTTP traffic containing `?next={next-site}` where the `next-site` domain is different from the application you are protecting as a workaround.

Publish Date: 2021-09-08

URL: CVE-2021-32805

CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4

Release Date: 2021-09-08

Fix Resolution: Flask-AppBuilder - 3.3.2

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.