GHSA-wfjw-w6pv-8p7f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wfjw-w6pv-8p7f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-wfjw-w6pv-8p7f/GHSA-wfjw-w6pv-8p7f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wfjw-w6pv-8p7f
- Aliases
- Published
- 2022-02-01T00:47:53Z
- Modified
- 2024-09-20T17:10:05.762420Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Observable Response Discrepancy in Flask-AppBuilder
- Details
-
Impact
User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.
Patches
Upgrade to 3.4.4
Workarounds
References
For more information
If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address
- Database specific
{ "nvd_published_at": "2022-01-31T21:15:00Z", "cwe_ids": [ "CWE-203", "CWE-204" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-01-31T20:19:12Z" }- References
-
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
- https://nvd.nist.gov/vuln/detail/CVE-2022-21659
- https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
- https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
- https://github.com/dpgaspar/Flask-AppBuilder
- https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml
Affected packages
PyPI / flask-appbuilder
Package
- Name
- flask-appbuilder
- View open source insights on deps.dev
- Purl
- pkg:pypi/flask-appbuilder
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.4.4
Affected versions
0.*
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.1.33
0.1.34
0.1.35
0.1.36
0.1.37
0.1.38
0.1.43
0.1.44
0.1.45
0.1.46
0.1.47
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.7.1
1.8.0
1.8.1
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.10.0
1.11.0
1.11.1
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.2.0rc1
2.2.0rc2
2.2.0
2.2.1rc1
2.2.1rc2
2.2.1rc3
2.2.1
2.2.2rc1
2.2.2rc2
2.2.2rc3
2.2.2
2.2.3rc1
2.2.3rc2
2.2.3rc3
2.2.3rc4
2.2.3rc5
2.2.3rc6
2.2.3
2.2.4rc1
2.2.4
2.3.0rc1
2.3.0rc2
2.3.0rc3
2.3.0rc4
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2
2.3.3rc1
2.3.3rc2
2.3.3rc3
2.3.3
2.3.4rc1
2.3.4
3.*
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1rc1
3.0.1
3.1.0rc1
3.1.0rc2
3.1.0rc3
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1rc3
3.1.1
3.2.0rc1
3.2.0rc2
3.2.0
3.2.1rc1
3.2.1
3.2.2rc1
3.2.2
3.2.3rc1
3.2.3rc2
3.2.3
3.3.0rc1
3.3.0
3.3.1rc1
3.3.1
3.3.2rc1
3.3.2
3.3.3rc1
3.3.3
3.3.4rc1
3.3.4
3.4.0rc1
3.4.0rc2
3.4.0
3.4.1rc1
3.4.1rc2
3.4.1rc3
3.4.1
3.4.2rc1
3.4.2
3.4.3rc1
3.4.3rc2
3.4.3
3.4.4rc1