CVE-2024-45314

Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636	Patch
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dpgaspar:flask_app_builder:*:*:*:*:*:*:*:*

History

12 Sep 2024, 16:39

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dpgaspar:flask_app_builder::::::::
References	~~() https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636 -~~	() https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636 - Patch
References	~~() https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p -~~	() https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p - Vendor Advisory
First Time		Dpgaspar Dpgaspar flask App Builder
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~3.6~~	v2 : unknown v3 : 5.5

05 Sep 2024, 12:53

Type	Values Removed	Values Added
Summary		(es) Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versión 4.5.1, las directivas de caché predeterminadas del formulario de inicio de sesión de la base de datos de autenticación permiten que el navegador almacene localmente datos confidenciales. Esto puede ser un problema en entornos que utilizan recursos informáticos compartidos. La versión 4.5.1 contiene un parche para este problema. Si no es posible realizar la actualización, configure su servidor web para que envíe los encabezados HTTP específicos para `/login` según las instrucciones proporcionadas en el Aviso de seguridad de GitHub.

04 Sep 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-04 16:15

Updated : 2024-09-12 16:39

NVD link : CVE-2024-45314

Mitre link : CVE-2024-45314

CVE.ORG link : CVE-2024-45314

JSON object : View

Products Affected

dpgaspar

flask_app_builder

CWE

NVD-CWE-Other CWE-525

Use of Web Browser Cache Containing Sensitive Information

{"id": "CVE-2024-45314", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2024-09-04T16:15:08.833", "references": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-525"}]}], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory."}, {"lang": "es", "value": "Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versi\u00f3n 4.5.1, las directivas de cach\u00e9 predeterminadas del formulario de inicio de sesi\u00f3n de la base de datos de autenticaci\u00f3n permiten que el navegador almacene localmente datos confidenciales. Esto puede ser un problema en entornos que utilizan recursos inform\u00e1ticos compartidos. La versi\u00f3n 4.5.1 contiene un parche para este problema. Si no es posible realizar la actualizaci\u00f3n, configure su servidor web para que env\u00ede los encabezados HTTP espec\u00edficos para `/login` seg\u00fan las instrucciones proporcionadas en el Aviso de seguridad de GitHub."}], "lastModified": "2024-09-12T16:39:53.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dpgaspar:flask_app_builder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3DCADA8-B241-4FC2-899E-520EEB2640FE", "versionEndExcluding": "4.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

5.5 /10