Plattform
python
Komponente
flask-appbuilder
Behoben in
4.3.12
CVE-2024-25128 is a critical vulnerability affecting Flask-AppBuilder versions up to 4.3.11. This flaw allows attackers to forge HTTP requests, potentially tricking the application into using a rogue OpenID service. Successful exploitation can grant unauthorized privilege access, compromising application security. The vulnerability is specifically exploitable when the application utilizes the OpenID 2.0 authorization protocol. A fix is available in version 4.3.11.
The impact of CVE-2024-25128 is significant due to its potential for unauthorized privilege escalation. An attacker could deploy a custom OpenID service, accessible to the vulnerable Flask-AppBuilder application. By crafting malicious HTTP requests, the attacker can manipulate the authentication flow, causing the application to authenticate against their controlled service. This allows the attacker to impersonate legitimate users and gain access to sensitive data and functionality within the application. The blast radius extends to any data or actions accessible by users with elevated privileges within the Flask-AppBuilder application.
CVE-2024-25128 was publicly disclosed on February 28, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations deploying Flask-AppBuilder with the AUTHTYPE AUTHOID authentication method are at significant risk. This includes applications utilizing custom OpenID providers or those deployed in environments where attackers can potentially control external services. Shared hosting environments where multiple applications share the same Flask-AppBuilder instance are also particularly vulnerable.
• python / flask: Inspect Flask-AppBuilder configuration for AUTHTYPE AUTHOID. Monitor application logs for unusual OpenID authentication requests.
# Example: Check Flask-AppBuilder configuration
import os
appbuilder_config = os.environ.get('FLASK_APPBUILDER_CONFIG', '')
if 'auth_type' in appbuilder_config.lower() and 'auth_oid' in appbuilder_config.lower():
print('Potential vulnerability: AUTH_TYPE AUTH_OID detected')• generic web: Monitor access logs for requests to OpenID endpoints with unusual parameters. Check response headers for unexpected redirects. • database (mysql, postgresql): If Flask-AppBuilder uses a database for storing user credentials, review database queries for suspicious authentication patterns.
disclosure
Exploit-Status
EPSS
0.96% (76% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-25128 is to upgrade Flask-AppBuilder to version 4.3.11 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Carefully review and restrict the allowed OpenID providers configured within the application. Implement strict input validation on all user-supplied data related to authentication. Monitor authentication logs for suspicious activity, particularly requests originating from unexpected OpenID providers. After upgrading, confirm the fix by attempting to authenticate using a different OpenID provider and verifying that the application does not accept requests from unauthorized sources.
Aktualisieren Sie Flask-AppBuilder auf Version 4.3.11 oder höher. Diese Version behebt die fehlerhafte Authentifizierung bei Verwendung des Auth-Typs OpenID. Das Update kann mit dem Paketmanager pip durchgeführt werden: `pip install Flask-AppBuilder==4.3.11`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-25128 is a critical vulnerability in Flask-AppBuilder versions up to 4.3.11 that allows attackers to forge HTTP requests to deceive the application's authentication process, potentially gaining unauthorized access.
You are affected if you are using Flask-AppBuilder versions 4.3.11 or earlier and have AUTHTYPE AUTHOID enabled. Check your version and configuration immediately.
Upgrade Flask-AppBuilder to version 4.3.11 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting allowed OpenID providers.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity makes it a likely target for exploitation.
Refer to the official Flask-AppBuilder security advisory for detailed information and updates: [https://flask-appbuilder.com/security.html](https://flask-appbuilder.com/security.html)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.