First published: Mon Jun 07 2021(Updated: )
Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Flask-appbuilder Project Flask-appbuilder | <=3.2.3 | |
Apache Airflow | =1.10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-29621 is a vulnerability in Flask-AppBuilder <= 3.2.3 that allows a non-authenticated user to enumerate existing accounts by timing the response time from the server during login.
The severity of CVE-2021-29621 is medium with a CVSS score of 5.3.
CVE-2021-29621 affects Flask-AppBuilder versions up to and including 3.2.3.
To fix CVE-2021-29621, upgrade Flask-AppBuilder to version 3.3 or higher.
Yes, Apache Airflow version 1.10.0 is also affected by CVE-2021-29621.