CVE-2023-29005: Improper Restriction of Excessive Authentication Attempts
(updated )
Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using AUTH_RATE_LIMITED = True, RATELIMIT_ENABLED = True, and setting an AUTH_RATE_LIMIT.
References
- flask-limiter.readthedocs.io/en/stable/configuration.html
- github.com/advisories/GHSA-9hcr-9hcv-x6pv
- github.com/dpgaspar/Flask-AppBuilder/pull/1976
- github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.0
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv
- nvd.nist.gov/vuln/detail/CVE-2023-29005
Detect and mitigate CVE-2023-29005 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →