Skip to content

Flask-AppBuilder Open Redirect vulnerability

High severity GitHub Reviewed Published Sep 8, 2021 in dpgaspar/Flask-AppBuilder • Updated Sep 20, 2024

Package

pip Flask-AppBuilder (pip)

Affected versions

< 3.3.2

Patched versions

3.3.2

Description

Impact

If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability

Patches

Install Flask-AppBuilder 3.2.2 or above

Workarounds

Filter HTTP traffic containing ?next={next-site} where the next-site domain is different from the application you are protecting

References

@dpgaspar dpgaspar published to dpgaspar/Flask-AppBuilder Sep 8, 2021
Published by the National Vulnerability Database Sep 8, 2021
Reviewed Sep 8, 2021
Published to the GitHub Advisory Database Sep 8, 2021
Last updated Sep 20, 2024

Severity

High

EPSS score

0.066%
(30th percentile)

Weaknesses

CVE ID

CVE-2021-32805

GHSA ID

GHSA-624f-cqvr-3qw4

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.