Platform
python
Component
flask-appbuilder
Fixed in
4.3.12
CVE-2024-25128 is a critical vulnerability affecting Flask-AppBuilder versions up to 4.3.11. This flaw allows attackers to forge HTTP requests, potentially tricking the application into using a rogue OpenID service. Successful exploitation can grant unauthorized privilege access, compromising application security. The vulnerability is specifically exploitable when the application utilizes the OpenID 2.0 authorization protocol. A fix is available in version 4.3.11.
The impact of CVE-2024-25128 is significant due to its potential for unauthorized privilege escalation. An attacker could deploy a custom OpenID service, accessible to the vulnerable Flask-AppBuilder application. By crafting malicious HTTP requests, the attacker can manipulate the authentication flow, causing the application to authenticate against their controlled service. This allows the attacker to impersonate legitimate users and gain access to sensitive data and functionality within the application. The blast radius extends to any data or actions accessible by users with elevated privileges within the Flask-AppBuilder application.
CVE-2024-25128 was publicly disclosed on February 28, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.96% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-25128 is to upgrade Flask-AppBuilder to version 4.3.11 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Carefully review and restrict the allowed OpenID providers configured within the application. Implement strict input validation on all user-supplied data related to authentication. Monitor authentication logs for suspicious activity, particularly requests originating from unexpected OpenID providers. After upgrading, confirm the fix by attempting to authenticate using a different OpenID provider and verifying that the application does not accept requests from unauthorized sources.
Update Flask-AppBuilder to version 4.3.11 or higher. This version corrects the incorrect authentication vulnerability when using the OpenID authentication type. The update can be performed using the pip package manager: `pip install Flask-AppBuilder==4.3.11`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25128 is a critical vulnerability in Flask-AppBuilder versions up to 4.3.11 that allows attackers to forge HTTP requests to deceive the application's authentication process, potentially gaining unauthorized access.
You are affected if you are using Flask-AppBuilder versions 4.3.11 or earlier and have AUTHTYPE AUTHOID enabled. Check your version and configuration immediately.
Upgrade Flask-AppBuilder to version 4.3.11 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting allowed OpenID providers.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity makes it a likely target for exploitation.
Refer to the official Flask-AppBuilder security advisory for detailed information and updates: [https://flask-appbuilder.com/security.html](https://flask-appbuilder.com/security.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.