CVE-2022-24776 — Open Redirect in Flask-AppBuilder

Description

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 3.4.5 contain an open redirect vulnerability when using the database authentication login page. There are no known workarounds. Users are recommended to upgrade to version 3.4.5 or later. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Flask-AppBuilder](https://github.com/dpgaspar/Flask-AppBuilder)

How to fix CVE-2022-24776

To remediate CVE-2022-24776, upgrade the affected package to a fixed version below.

—upgrade to 3.4.5 or later

Is CVE-2022-24776 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.4.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24776
PATCHgithub.com/dpgaspar/Flask-AppBuilder
WEBgithub.com/dpgaspar/Flask-AppBuilder/pull/1804
WEBgithub.com/dpgaspar/Flask-AppBuilder/pull/1804/commits/5214d975ebad2ff32057443d2cc20fef1c04d0ea