First published: Thu Dec 09 2021(Updated: )
### Impact Improper authentication on the REST API. Allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. Only affects non database authentication types, and new REST API endpoints. ### Patches Upgrade to Flask-AppBuilder 3.3.4 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/dpgaspar/Flask-AppBuilder
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Flask-appbuilder Project Flask-appbuilder | <3.3.4 | |
pip/Flask-AppBuilder | <3.3.4 | 3.3.4 |
<3.3.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41265 is a vulnerability in the Flask-AppBuilder development framework prior to version 3.3.4 that allows for improper authentication in the REST API.
A malicious actor can exploit CVE-2021-41265 by crafting a carefully crafted request to authenticate and gain access to protected REST resources.
CVE-2021-41265 has a severity rating of 8.8, which is considered high.
To fix CVE-2021-41265, update Flask-AppBuilder to version 3.3.4 or later.
More information about CVE-2021-41265 can be found in the following references: [GitHub Commit](https://github.com/dpgaspar/Flask-AppBuilder/commit/eba517aab121afa3f3f2edb011ec6bc4efd61fbc), [GitHub Release](https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.4), [GitHub Security Advisory](https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q).