Skip to content

Observable Response Discrepancy in Flask-AppBuilder

Moderate
dpgaspar published GHSA-wfjw-w6pv-8p7f Jan 31, 2022

Package

pip Flask-AppBuilder (pip)

Affected versions

<3.4.2

Patched versions

3.4.2

Description

Impact

User enumeration in database authentication in Flask-AppBuilder <= 3.4.1. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.

Patches

Upgrade to 3.4.2

Workarounds

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2022-21659

Weaknesses

Credits