CVE-2022-21659

dpgaspar/Flask-AppBuilder

on GitHub

Published

Jan 31, 2022

Severity

CVSS v3:

5.3 MEDIUM

CVSS v2:

5 MEDIUM

Description

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

References

https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:flask-appbuilder_project:flask-appbuilder::::::::	n/a	3.4.2	*
cpe:2.3:a:dpgaspar:flask-appbuilder::::::::	n/a	3.4.2	*

External Links

NVD - CVE-2022-21659