TROYANOSYVIRUS
Voltar para CVEs

CVE-2025-58065

MEDIUM
6.5

Descricao

Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.

Detalhes CVE

Pontuacao CVSS v3.16.5
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado9/11/2025
Ultima modificacao9/24/2025
Fontenvd
Avistamentos honeypot0

Produtos afetados

dpgaspar:flask-appbuilder

Fraquezas (CWE)

CWE-287

Referencias

https://github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93ee(security-advisories@github.com)
https://github.com/dpgaspar/Flask-AppBuilder/pull/2384(security-advisories@github.com)
https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1(security-advisories@github.com)
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.