GHSA-J2PW-VP55-FQQJ
Vulnerability from github – Published: 2024-02-28 18:37 – Updated: 2024-03-01 14:54
VLAI?
Summary
Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID
Details
Impact
When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.
This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers.
Patches
Upgrade to Flask-AppBuilder 4.3.11
Workarounds
If upgrade is not possible add the following to your config:
from flask import flash, redirect
from flask_appbuilder import expose
from flask_appbuilder.security.sqla.manager import SecurityManager
from flask_appbuilder.security.views import AuthOIDView
from flask_appbuilder.security.forms import LoginForm_oid
basedir = os.path.abspath(os.path.dirname(__file__))
class FixedOIDView(AuthOIDView):
@expose("/login/", methods=["GET", "POST"])
def login(self, flag=True):
form = LoginForm_oid()
if form.validate_on_submit():
identity_url = None
for provider in self.appbuilder.sm.openid_providers:
if provider.get("url") == form.openid.data:
identity_url = form.openid.data
if identity_url is None:
flash(self.invalid_login_message, "warning")
return redirect(self.appbuilder.get_url_for_login)
return super().login(flag=flag)
class FixedSecurityManager(SecurityManager):
authoidview = FixedOIDView
FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager"
Severity ?
9.1 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Flask-AppBuilder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25128"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-28T18:37:06Z",
"nvd_published_at": "2024-02-29T01:44:14Z",
"severity": "CRITICAL"
},
"details": "### Impact\nWhen Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. \n\nThis vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers.\n\n### Patches\nUpgrade to Flask-AppBuilder 4.3.11\n\n### Workarounds\nIf upgrade is not possible add the following to your config:\n\n```\nfrom flask import flash, redirect\nfrom flask_appbuilder import expose\nfrom flask_appbuilder.security.sqla.manager import SecurityManager\nfrom flask_appbuilder.security.views import AuthOIDView\nfrom flask_appbuilder.security.forms import LoginForm_oid\n\nbasedir = os.path.abspath(os.path.dirname(__file__))\n\n\nclass FixedOIDView(AuthOIDView):\n @expose(\"/login/\", methods=[\"GET\", \"POST\"])\n def login(self, flag=True):\n form = LoginForm_oid()\n if form.validate_on_submit():\n identity_url = None\n for provider in self.appbuilder.sm.openid_providers:\n if provider.get(\"url\") == form.openid.data:\n identity_url = form.openid.data\n if identity_url is None:\n flash(self.invalid_login_message, \"warning\")\n return redirect(self.appbuilder.get_url_for_login)\n return super().login(flag=flag)\n\nclass FixedSecurityManager(SecurityManager):\n authoidview = FixedOIDView\n\n\nFAB_SECURITY_MANAGER_CLASS = \"config.FixedSecurityManager\"\n```",
"id": "GHSA-j2pw-vp55-fqqj",
"modified": "2024-03-01T14:54:36Z",
"published": "2024-02-28T18:37:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25128"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8"
},
{
"type": "PACKAGE",
"url": "https://github.com/dpgaspar/Flask-AppBuilder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID "
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…