CVE-2022-21659: Observable Response Discrepancy in Flask-AppBuilder
(updated )
User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.
References
- github.com/advisories/GHSA-wfjw-w6pv-8p7f
- github.com/dpgaspar/Flask-AppBuilder
- github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
- github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
- github.com/dpgaspar/Flask-AppBuilder/pull/1775
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
- github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml
- nvd.nist.gov/vuln/detail/CVE-2022-21659
Detect and mitigate CVE-2022-21659 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →