GHSA-434h-p4gx-jm89

Опубликовано: 27 мая 2021

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 5.3

Описание

Observable Response Discrepancy in Flask-AppBuilder

Impact

User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.

Patches

Upgrade to 3.3.0

For more information

If you have any questions or comments about this advisory:

Open an issue in Flask-AppBuilder

Ссылки

Пакеты

Наименование

Flask-AppBuilder

pip

Затронутые версииВерсия исправления

< 3.3.0

3.3.0

EPSS

Процентиль: 62%

0.00429

Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2021-29621

Дефекты

CWE-203

Связанные уязвимости

CVE-2021-29621

CVSS3: 5.3

nvd

больше 4 лет назад

Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.

CVE-2021-29621

CVSS3: 5.3

debian

больше 4 лет назад

Flask-AppBuilder is a development framework, built on top of Flask. Us ...

EPSS

Процентиль: 62%

0.00429

Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2021-29621

Дефекты

CWE-203