Описание
Flask-AppBuilder Observable Response Discrepancy
Impact
User enumeration in database authentication in Flask-AppBuilder <= 4.5.3 and werkzeug >= 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login.
Patches
Upgrade to flask-appbuilder>=4.5.3
Workarounds
Downgrade werkzeug to <3.0.0
References
Are there any links users can visit to find out more?
Пакеты
flask-appbuilder
< 4.5.3
4.5.3
Связанные уязвимости
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.
Flask-AppBuilder is an application development framework. Prior to 4.5 ...