First published: Wed Sep 08 2021(Updated: )
### Impact If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability ### Patches Install Flask-AppBuilder 3.2.2 or above ### Workarounds Filter HTTP traffic containing `?next={next-site}` where the `next-site` domain is different from the application you are protecting
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Flask-appbuilder Project Flask-appbuilder | <3.3.2 | |
pip/Flask-AppBuilder | <3.3.2 | 3.3.2 |
<3.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-32805 is a vulnerability in Flask-AppBuilder, an application development framework built on top of Flask.
The severity of CVE-2021-32805 is high, with a severity value of 6.1.
In affected versions of Flask-AppBuilder, if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, redirecting users to a malicious site.
The affected software is Flask-AppBuilder version up to exclusive 3.3.2.
Yes, updating Flask-AppBuilder to a version beyond 3.3.2 will resolve the vulnerability.