PT-2022-15013 · Unknown · Flask-Appbuilder

Sam Wheating

Published

2022-01-31

Updated

2022-02-07

CVE-2022-21659

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Flask-AppBuilder versions prior to 3.4.4

Description The issue concerns a user enumeration vulnerability in Flask-AppBuilder, an application development framework built on top of the Flask web framework. This vulnerability allows a non-authenticated user to enumerate existing accounts by timing the response time from the server when logging in.

Recommendations For versions prior to 3.4.4, upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-204CWE-203

Related Identifiers

CVE-2022-21659

GHSA-WFJW-W6PV-8P7F

PYSEC-2022-24

Affected Products

Flask-Appbuilder

PT-2022-15013 · Unknown · Flask-Appbuilder

CVE-2022-21659

Weakness Enumeration

Related Identifiers

Affected Products

References · 13