GHSA-624f-cqvr-3qw4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-624f-cqvr-3qw4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-624f-cqvr-3qw4/GHSA-624f-cqvr-3qw4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-624f-cqvr-3qw4
- Aliases
- Related
- Published
- 2021-09-08T21:11:14Z
- Modified
- 2026-03-13T22:00:21.466235Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Flask-AppBuilder Open Redirect vulnerability
- Details
-
Impact
If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability
Patches
Install Flask-AppBuilder 3.2.2 or above
Workarounds
Filter HTTP traffic containing
?next={next-site}where thenext-sitedomain is different from the application you are protecting - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2021-09-08T21:10:56Z", "nvd_published_at": "2021-09-08T18:15:00Z", "cwe_ids": [ "CWE-601" ] }- References
-
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4
- https://nvd.nist.gov/vuln/detail/CVE-2021-32805
- https://github.com/dpgaspar/Flask-AppBuilder/commit/6af28521589599b1dbafd6313256229ee9a4fa74
- https://github.com/dpgaspar/Flask-AppBuilder
- https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.2
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2021-359.yaml
- https://pypi.org/project/Flask-AppBuilder
Affected packages
PyPI / flask-appbuilder
Package
- Name
- flask-appbuilder
- View open source insights on deps.dev
- Purl
- pkg:pypi/flask-appbuilder
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.3.2
Affected versions
0.*
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.1.33
0.1.34
0.1.35
0.1.36
0.1.37
0.1.38
0.1.43
0.1.44
0.1.45
0.1.46
0.1.47
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.7.1
1.8.0
1.8.1
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.10.0
1.11.0
1.11.1
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.2.0rc1
2.2.0rc2
2.2.0
2.2.1rc1
2.2.1rc2
2.2.1rc3
2.2.1
2.2.2rc1
2.2.2rc2
2.2.2rc3
2.2.2
2.2.3rc1
2.2.3rc2
2.2.3rc3
2.2.3rc4
2.2.3rc5
2.2.3rc6
2.2.3
2.2.4rc1
2.2.4
2.3.0rc1
2.3.0rc2
2.3.0rc3
2.3.0rc4
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2
2.3.3rc1
2.3.3rc2
2.3.3rc3
2.3.3
2.3.4rc1
2.3.4
3.*
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1rc1
3.0.1
3.1.0rc1
3.1.0rc2
3.1.0rc3
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1rc3
3.1.1
3.2.0rc1
3.2.0rc2
3.2.0
3.2.1rc1
3.2.1
3.2.2rc1
3.2.2
3.2.3rc1
3.2.3rc2
3.2.3
3.3.0rc1
3.3.0
3.3.1rc1
3.3.1
3.3.2rc1