CVE-2024-45314

Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory.

CVSS v3 3.6 LOW

3.6^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636	Patch
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dpgaspar:flask_app_builder:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-04 16:15

Updated : 2024-09-12 16:39

NVD link : CVE-2024-45314

Mitre link : CVE-2024-45314

CVE.ORG link : CVE-2024-45314

JSON object : View

Products Affected

dpgaspar

flask_app_builder

CWE

CWE-525

Use of Web Browser Cache Containing Sensitive Information

NVD-CWE-Other

{"id": "CVE-2024-45314", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-09-04T16:15:08.833", "references": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-525"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory."}, {"lang": "es", "value": "Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versi\u00f3n 4.5.1, las directivas de cach\u00e9 predeterminadas del formulario de inicio de sesi\u00f3n de la base de datos de autenticaci\u00f3n permiten que el navegador almacene localmente datos confidenciales. Esto puede ser un problema en entornos que utilizan recursos inform\u00e1ticos compartidos. La versi\u00f3n 4.5.1 contiene un parche para este problema. Si no es posible realizar la actualizaci\u00f3n, configure su servidor web para que env\u00ede los encabezados HTTP espec\u00edficos para `/login` seg\u00fan las instrucciones proporcionadas en el Aviso de seguridad de GitHub."}], "lastModified": "2024-09-12T16:39:53.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dpgaspar:flask_app_builder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3DCADA8-B241-4FC2-899E-520EEB2640FE", "versionEndExcluding": "4.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}