Source: flask-appbuilder X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for flask-appbuilder. CVE-2023-34110[0]: | Flask-AppBuilder is an application development framework, built on | top of Flask. Prior to version 4.3.2, an authenticated malicious | actor with Admin privileges, could by adding a special character on | the add, edit User forms trigger a database error, this error is | surfaced back to this actor on the UI. On certain database engines | this error can include the entire user row including the | pbkdf2:sha256 hashed password. This vulnerability has been fixed in | version 4.3.2. https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3 https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34110 https://www.cve.org/CVERecord?id=CVE-2023-34110 Please adjust the affected versions in the BTS as needed.
