Skip to content

Flask-AppBuilder's login form allows browser to cache sensitive fields

Low severity GitHub Reviewed Published Sep 4, 2024 in dpgaspar/Flask-AppBuilder • Updated Sep 4, 2024

Package

pip flask-appbuilder (pip)

Affected versions

< 4.5.1

Patched versions

4.5.1

Description

Impact

Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.

Patches

Upgrade flask-appbuilder to version 4.5.1

Workarounds

If upgrading is not possible configure your web server to send the following HTTP headers for /login:
"Cache-Control": "no-store, no-cache, must-revalidate, max-age=0"
"Pragma": "no-cache"
"Expires": "0"

References

@dpgaspar dpgaspar published to dpgaspar/Flask-AppBuilder Sep 4, 2024
Published by the National Vulnerability Database Sep 4, 2024
Published to the GitHub Advisory Database Sep 4, 2024
Reviewed Sep 4, 2024
Last updated Sep 4, 2024

Severity

Low

EPSS score

0.052%
(21st percentile)

Weaknesses

CVE ID

CVE-2024-45314

GHSA ID

GHSA-fw5r-6m3x-rh7p

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.