Headline
CVE-2023-34110: fix: CRUD MVC log message (#2045) · dpgaspar/Flask-AppBuilder@ae25ad4
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.
Expand Up @@ -41,6 +41,8 @@ class BaseInterface: ) general_error_message = lazy_gettext(“General Error”)
database_error_message = lazy_gettext(“Database Error”)
“"” Tuple with message and text with severity type ex: ("Added Row", “info”) “"” message = ()
Expand Down Expand Up @@ -103,13 +105,13 @@ def get_values_item(self, item, show_columns):
def _get_values(self, lst, list_columns): “"” Get Values: formats values for list template. returns [{’col_name’:’col_value’,…},{’col_name’:’col_value’,…}] Get Values: formats values for list template. returns [{’col_name’:’col_value’,…},{’col_name’:’col_value’,…}] :param lst: The list of item objects from query :param list_columns: The list of columns to include :param lst: The list of item objects from query :param list_columns: The list of columns to include “"” retlst = [] for item in lst: Expand All @@ -121,13 +123,13 @@ def _get_values(self, lst, list_columns):
def get_values(self, lst, list_columns): “"” Get Values: formats values for list template. returns [{’col_name’:’col_value’,…},{’col_name’:’col_value’,…}] Get Values: formats values for list template. returns [{’col_name’:’col_value’,…},{’col_name’:’col_value’,…}] :param lst: The list of item objects from query :param list_columns: The list of columns to include :param lst: The list of item objects from query :param list_columns: The list of columns to include “"” for item in lst: retdict = {} Expand All @@ -137,7 +139,7 @@ def get_values(self, lst, list_columns):
def get_values_json(self, lst, list_columns): “"” Converts list of objects from query to JSON Converts list of objects from query to JSON “"” result = [] for item in self.get_values(lst, list_columns): Expand Down Expand Up @@ -264,19 +266,19 @@ def get_min_length(self, col_name):
def add(self, item): “"” Adds object Adds object “"” raise NotImplementedError
def edit(self, item): “"” Edit (change) object Edit (change) object “"” raise NotImplementedError
def delete(self, item): “"” Deletes object Deletes object “"” raise NotImplementedError
Expand All @@ -285,7 +287,7 @@ def get_col_default(self, col_name):
def get_keys(self, lst): “"” return a list of pk values from object list return a list of pk values from object list “"” pk_name = self.get_pk_name() if self.is_pk_composite(): Expand All @@ -295,7 +297,7 @@ def get_keys(self, lst):
def get_pk_name(self): “"” Returns the primary key name Returns the primary key name “"” raise NotImplementedError
Expand All @@ -308,8 +310,8 @@ def get_pk_value(self, item):
def get(self, pk, filter=None): “"” return the record from key, you can optionally pass filters if pk exits on the db but filters exclude it it will return none. return the record from key, you can optionally pass filters if pk exits on the db but filters exclude it it will return none. “"” pass
Expand All @@ -318,11 +320,11 @@ def get_related_model(self, prop):
def get_related_interface(self, col_name): “"” Returns a BaseInterface for the related model of column name. Returns a BaseInterface for the related model of column name. :param col_name: Column name with relation :return: BaseInterface :param col_name: Column name with relation :return: BaseInterface “"” raise NotImplementedError
Expand All @@ -334,25 +336,25 @@ def get_related_fk(self, model):
def get_columns_list(self): “"” Returns a list of all the columns names Returns a list of all the columns names “"” return []
def get_user_columns_list(self): “"” Returns a list of user viewable columns names Returns a list of user viewable columns names “"” return self.get_columns_list()
def get_search_columns_list(self): “"” Returns a list of searchable columns names Returns a list of searchable columns names “"” return []
def get_order_columns_list(self, list_columns=None): “"” Returns a list of order columns names Returns a list of order columns names “"” return []
Expand Down
Related news
### Impact An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. ### Patches Fixed on 4.3.2