CVE-2021-32805
📋 TL;DR
CVE-2021-32805 is an open redirect vulnerability in Flask-AppBuilder's OAuth implementation. Attackers can craft URLs that redirect users from trusted Flask-AppBuilder applications to malicious sites. This affects any application using Flask-AppBuilder OAuth authentication in vulnerable versions.
💻 Affected Systems
- Flask-AppBuilder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to phishing sites that steal credentials or deliver malware, leading to account compromise, data theft, or system infection.
Likely Case
Attackers use crafted links in phishing campaigns to redirect users to malicious sites for credential harvesting or social engineering attacks.
If Mitigated
With proper URL validation, redirects are restricted to trusted domains only, preventing exploitation.
🎯 Exploit Status
Exploitation requires user interaction (clicking a crafted link). The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.2
Vendor Advisory: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4
Restart Required: Yes
Instructions:
1. Upgrade Flask-AppBuilder to version 3.2.2 or higher using pip: 'pip install Flask-AppBuilder>=3.2.2'. 2. Restart your Flask application. 3. Test OAuth functionality to ensure compatibility.
🔧 Temporary Workarounds
Filter malicious redirects at web server/proxy
allBlock HTTP requests containing '?next=' parameters pointing to external domains
# Example for nginx: location / { if ($args ~* "next=[^&]*[^a-zA-Z0-9.-]([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})") { return 403; } }
# Example for Apache: RewriteCond %{QUERY_STRING} next=[^&]*[^a-zA-Z0-9.-]([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}) [NC]
RewriteRule .* - [F]
🧯 If You Can't Patch
- Implement strict URL validation in application code to only allow redirects to trusted domains
- Disable OAuth authentication and use alternative authentication methods if possible
🔍 How to Verify
Check if Vulnerable:
Check Flask-AppBuilder version: 'pip show Flask-AppBuilder' or examine requirements.txt. If version < 3.2.2 and OAuth is enabled, the system is vulnerable.Check Version:
python -c "import flask_appbuilder; print(flask_appbuilder.__version__)" or pip show Flask-AppBuilder | grep VersionVerify Fix Applied:
After upgrade, verify version is ≥3.2.2 and test OAuth redirects to ensure they only go to allowed domains.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with 'next' parameter containing external domains
- OAuth authentication attempts with suspicious redirect URLs
Network Indicators:
- HTTP 302 redirects from Flask-AppBuilder to unexpected external domains
SIEM Query:
web.url:*next=* AND NOT web.url:*next=*yourdomain.com*🔗 References
- https://github.com/dpgaspar/Flask-AppBuilder/commit/6af28521589599b1dbafd6313256229ee9a4fa74
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4
- https://github.com/dpgaspar/Flask-AppBuilder/commit/6af28521589599b1dbafd6313256229ee9a4fa74
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4
