Vulnerability Description
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dpgaspar | Flask-Appbuilder | < 3.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/dpgaspar/Flask-AppBuilder/pull/1775PatchThird Party Advisory
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-Third Party Advisory
- https://github.com/dpgaspar/Flask-AppBuilder/pull/1775PatchThird Party Advisory
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-Third Party Advisory
FAQ
What is CVE-2022-21659?
CVE-2022-21659 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a n...
How severe is CVE-2022-21659?
CVE-2022-21659 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21659?
Check the references section above for vendor advisories and patch information. Affected products include: Dpgaspar Flask-Appbuilder.