Описание
Observable Response Discrepancy in Flask-AppBuilder
Impact
User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.
Patches
Upgrade to 3.4.4
Workarounds
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in example link to repo
- Email us at example email address
Ссылки
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
- https://nvd.nist.gov/vuln/detail/CVE-2022-21659
- https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
- https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
- https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml
Пакеты
Flask-AppBuilder
< 3.4.4
3.4.4
EPSS
6.9 Medium
CVSS4
5.3 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.
Flask-AppBuilder is an application development framework, built on top ...
EPSS
6.9 Medium
CVSS4
5.3 Medium
CVSS3