Source: flask-appbuilder Version: 4.1.4+ds-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for flask-appbuilder. CVE-2024-25128[0]: | Flask-AppBuilder is an application development framework, built on | top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it | allows an attacker to forge an HTTP request, that could deceive the | backend into using any requested OpenID service. This vulnerability | could grant an attacker unauthorised privilege access if a custom | OpenID service is deployed by the attacker and accessible by the | backend. This vulnerability is only exploitable when the application | is using the OpenID 2.0 authorization protocol. Upgrade to Flask- | AppBuilder 4.3.11 to fix the vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25128 https://www.cve.org/CVERecord?id=CVE-2024-25128 [1] https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj [2] https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8 Regards, Salvatore