{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45314", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-26T18:25:35.444Z", "datePublished": "2024-09-04T16:08:41.004Z", "dateUpdated": "2024-09-04T17:43:05.895Z"}, "containers": {"cna": {"title": "Flask-AppBuilder login form allows browser to cache sensitive fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-525", "lang": "en", "description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p"}, {"name": "https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636", "tags": ["x_refsource_MISC"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636"}], "affected": [{"vendor": "dpgaspar", "product": "Flask-AppBuilder", "versions": [{"version": "< 4.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-04T16:08:41.004Z"}, "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory."}], "source": {"advisory": "GHSA-fw5r-6m3x-rh7p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T17:40:06.308298Z", "id": "CVE-2024-45314", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T17:43:05.895Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45314", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T17:40:06.308298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T17:42:26.850Z"}}], "cna": {"title": "Flask-AppBuilder login form allows browser to cache sensitive fields", "source": {"advisory": "GHSA-fw5r-6m3x-rh7p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "dpgaspar", "product": "Flask-AppBuilder", "versions": [{"status": "affected", "version": "< 4.5.1"}]}], "references": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p", "name": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636", "name": "https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-525", "description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-04T16:08:41.004Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45314", "state": "PUBLISHED", "dateUpdated": "2024-09-04T17:43:05.895Z", "dateReserved": "2024-08-26T18:25:35.444Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-04T16:08:41.004Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dpgaspar:flask_app_builder:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3DCADA8-B241-4FC2-899E-520EEB2640FE", "versionEndExcluding": "4.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If upgrading is not possible, configure one's web server to send the specific HTTP headers for `/login` per the directions provided in the GitHub Security Advisory."}, {"lang": "es", "value": "Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versi\u00f3n 4.5.1, las directivas de cach\u00e9 predeterminadas del formulario de inicio de sesi\u00f3n de la base de datos de autenticaci\u00f3n permiten que el navegador almacene localmente datos confidenciales. Esto puede ser un problema en entornos que utilizan recursos inform\u00e1ticos compartidos. La versi\u00f3n 4.5.1 contiene un parche para este problema. Si no es posible realizar la actualizaci\u00f3n, configure su servidor web para que env\u00ede los encabezados HTTP espec\u00edficos para `/login` seg\u00fan las instrucciones proporcionadas en el Aviso de seguridad de GitHub."}], "id": "CVE-2024-45314", "lastModified": "2024-09-12T16:39:53.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-04T16:15:08.833", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/3030e881d2e44f4021764e18e489fe940a9b3636"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-fw5r-6m3x-rh7p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-525"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}