Headline
GHSA-fw5r-6m3x-rh7p: Flask-AppBuilder's login form allows browser to cache sensitive fields
Impact
Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.
Patches
Upgrade flask-appbuilder to version 4.5.1
Workarounds
If upgrading is not possible configure your web server to send the following HTTP headers for /login: "Cache-Control": “no-store, no-cache, must-revalidate, max-age=0” "Pragma": “no-cache” "Expires": “0”
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-45314
Flask-AppBuilder’s login form allows browser to cache sensitive fields
Low severity GitHub Reviewed Published Sep 4, 2024 in dpgaspar/Flask-AppBuilder • Updated Sep 4, 2024
Package
pip flask-appbuilder (pip)
Affected versions
< 4.5.1
Impact
Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.
Patches
Upgrade flask-appbuilder to version 4.5.1
Workarounds
If upgrading is not possible configure your web server to send the following HTTP headers for /login:
"Cache-Control": “no-store, no-cache, must-revalidate, max-age=0”
"Pragma": “no-cache”
"Expires": “0”
References
- GHSA-fw5r-6m3x-rh7p
- dpgaspar/Flask-AppBuilder@3030e88
Published to the GitHub Advisory Database
Sep 4, 2024