Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN324 _____________________________________________________________________ DATE : 20/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running flask-appbuilder (pip) versions prior to 4.6.2. ===================================================================== https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2 _____________________________________________________________________ Open redirect vulnerability using HTTP host injection Moderate dpgaspar published GHSA-99pm-ch96-ccp2 May 16, 2025 Package flask-appbuilder (pip) Affected versions <4.6.2 Patched versions 4.6.2 Description Impact Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Patches Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. Examples: FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"] Workarounds Use a Reverse Proxy to Enforce Trusted Host Headers References Are there any links users can visit to find out more? Severity Moderate 4.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality Low Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE ID CVE-2025-32962 Weaknesses CWE-601 Credits @mar0n0 mar0n0 Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================