PT-2021-18372 · Pypi · Flask-Appbuilder

Dolev Farhi

Published

2021-05-27

Updated

2024-03-06

CVE-2021-29621

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Flask-AppBuilder versions 3.2.3 and earlier

Description The issue allows a non-authenticated user to enumerate existing accounts by timing the response time from the server when logging in. This is due to user enumeration in database authentication in Flask-AppBuilder.

Recommendations For versions 3.2.3 and earlier, upgrade to version 3.3.0 or higher to resolve the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

BIT-AIRFLOW-2021-29621

CVE-2021-29621

GHSA-434H-P4GX-JM89

PYSEC-2021-90

Affected Products

Flask-Appbuilder

PT-2021-18372 · Pypi · Flask-Appbuilder

CVE-2021-29621

Weakness Enumeration

Related Identifiers

Affected Products

References · 16