Description
Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p
Scores
CVSS v3
3.6
EPSS
0.0013
EPSS Percentile
32.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-525
Status
published
Products (2)
dpgaspar/flask-appbuilder
< 4.5.1
pypi/flask-appbuilder
0 - 4.5.1PyPI
Published
Sep 04, 2024
Tracked Since
Feb 18, 2026