CVE-2022-21659
MEDIUM5.3EPSS 0.34%Observable Response Discrepancy in Flask-AppBuilder
Published: 2/1/2022Modified: 3/7/2025
Description
### Impact User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. ### Patches Upgrade to 3.4.4 ### Workarounds ### References ### For more information If you have any questions or comments about this advisory: * Open an issue in [example link to repo](http://example.com) * Email us at [example email address](mailto:[email protected])
Affected packages (2)
- PyPI/flask-appbuilderfrom 0, < 3.4.4
- PyPI/flask-appbuilderfrom 0, < 3.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-21659
- PATCHhttps://github.com/dpgaspar/Flask-AppBuilder
- WEBhttps://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
- WEBhttps://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
- WEBhttps://github.com/dpgaspar/Flask-AppBuilder/pull/1775
- WEBhttps://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml