CVE-2022-31177
low-risk
Published 2022-08-01
Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.
Do I need to act?
-
0.34% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.7/10
Low
NETWORK
/ LOW complexity
Affected Products (1)
Flask-Appbuilder
Affected Vendors
References (4)
Third Party Advisory
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-...
Third Party Advisory
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-...
20
/ 100
low-risk
Severity
14/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal