Can you explain this vulnerability to me?

This vulnerability occurs in Flask-AppBuilder versions prior to 4.8.1 when using OAuth, LDAP, or other non-database authentication methods. The password reset endpoint remains accessible even though it is not shown in the user interface. This allows an enabled user to reset their password and generate JWT tokens even after their account has been disabled on the authentication provider.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can allow users who have been disabled on the authentication provider to still reset their passwords and create JWT tokens, potentially enabling unauthorized access or actions within the application despite being disabled.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious password reset attempts from disabled accounts targeting the password reset endpoint. Since the password reset endpoint remains accessible even when not shown in the UI, you can check web server or application logs for requests to the password reset URL. Specific commands depend on your logging setup, but for example, using grep on access logs to find password reset attempts: grep 'reset_password' /path/to/access.log. Additionally, monitoring authentication logs for password reset activity from disabled users can help detect exploitation attempts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Flask-AppBuilder to version 4.8.1 or later. If upgrading is not immediately possible, manually disable the password reset routes in the application configuration, implement additional access controls at the web server or proxy level to block access to the password reset URL, and monitor for suspicious password reset attempts from disabled accounts.

Useful 0 Not Useful 0