CVE-2024-45314: 
Python vulnerability analysis and mitigation

Flask-AppBuilder, an application development framework, was found to have a security vulnerability (CVE-2024-45314) where the authentication database login form's default cache directives allowed browsers to locally store sensitive data. This vulnerability affects versions prior to 4.5.1 and was disclosed on September 4, 2024. The issue particularly impacts environments using shared computer resources (GitHub Advisory).

The vulnerability is related to the caching behavior of sensitive form fields in the authentication database login form. The issue stems from the absence of proper cache control directives, which could allow browsers to store sensitive data locally. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N according to NVD, while GitHub rates it as LOW with a score of 3.6 and vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The vulnerability is classified under CWE-525 (Use of Web Browser Cache Containing Sensitive Information) (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive data through browser caching on shared computer systems. When exploited, it could allow subsequent users of the same computer to access cached login form data, potentially compromising user credentials or other sensitive information (GitHub Advisory).

The vulnerability has been patched in version 4.5.1 of Flask-AppBuilder. For users unable to upgrade, a workaround is available by configuring the web server to send specific HTTP headers for the /login endpoint: 'Cache-Control: no-store, no-cache, must-revalidate, max-age=0', 'Pragma: no-cache', and 'Expires: 0' (GitHub Advisory).