CVE-2024-25128
Authentication Bypass vulnerability in flask-appbuilder (PyPI)
What is CVE-2024-25128 About?
This vulnerability in Flask-AppBuilder, when configured with AUTH_TYPE AUTH_OID using the deprecated OpenID 2.0 protocol, allows attackers to forge HTTP requests that deceive the backend into using an attacker-controlled OpenID service. This can lead to unauthorized privilege access if a custom OpenID service is deployed by the attacker. Exploitation is possible due to the use of an outdated authentication protocol.
Affected Software
Technical Details
The vulnerability resides in Flask-AppBuilder when configured to use AUTH_TYPE AUTH_OID with the legacy OpenID 2.0 protocol. An attacker can craft an HTTP request that manipulates the OpenID service URL. By directing the application to an attacker-controlled custom OpenID service, the attacker can then authenticate as a legitimate user, potentially gaining unauthorized privileged access to the application. This is possible because the application's backend trusts the OpenID service specified in the forged request without sufficient validation, especially when using the insecure OpenID 2.0.
What is the Impact of CVE-2024-25128?
Successful exploitation may allow attackers to gain unauthorized privileged access, bypass authentication mechanisms, or compromise user accounts.
What is the Exploitability of CVE-2024-25128?
Exploitation requires the Flask-AppBuilder application to be specifically configured with AUTH_TYPE AUTH_OID and to be using the deprecated OpenID 2.0 protocol. The attacker needs to be able to forge HTTP requests and potentially deploy their own OpenID service accessible by the backend. No specific authentication is required to attempt the forged request, but successful exploitation grants unauthorized access. This is a remote vulnerability. The presence of a custom OpenID service deployed by the attacker and accessible by the backend increases exploitability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-25128?
Available Upgrade Options
- flask-appbuilder
- <4.3.11 → Upgrade to 4.3.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
- https://nvd.nist.gov/vuln/detail/CVE-2024-25128
- https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
- https://osv.dev/vulnerability/GHSA-j2pw-vp55-fqqj
- https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
- https://github.com/dpgaspar/Flask-AppBuilder
What are Similar Vulnerabilities to CVE-2024-25128?
Similar Vulnerabilities: CVE-2023-38600 , CVE-2023-50041 , CVE-2023-24819 , CVE-2022-38706 , CVE-2020-21390
