CVE-2023-34110: 
Python vulnerability analysis and mitigation

Flask-AppBuilder, an application development framework built on top of Flask, was found to contain a security vulnerability (CVE-2023-34110) prior to version 4.3.2. The vulnerability was discovered and disclosed on June 22, 2023. The issue affects all versions of Flask-AppBuilder before 4.3.2 (GitHub Advisory).

The vulnerability is classified as a Generation of Error Message Containing Sensitive Information (CWE-209). It has been assigned a CVSS v3.1 base score of 2.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. The vulnerability requires high privileges (admin access) to exploit and can be triggered through the network with low attack complexity (NVD).

When exploited, the vulnerability allows an authenticated malicious actor with Admin privileges to trigger a database error by adding special characters in the add/edit User forms. On certain database engines, this error message exposed back to the user interface could contain sensitive information, including the entire user row with pbkdf2:sha256 hashed passwords (GitHub Advisory).

The vulnerability has been fixed in Flask-AppBuilder version 4.3.2. Users are advised to upgrade to this version or later to address the issue. The fix was implemented through changes in the CRUD MVC log message handling to prevent sensitive information disclosure (GitHub Release).