First published: Thu May 27 2021(Updated: )
### Impact User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. ### Patches Upgrade to 3.3.0 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Flask-AppBuilder](https://github.com/dpgaspar/Flask-AppBuilder)
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Flask-appbuilder Project Flask-appbuilder | <=3.2.3 | |
Apache Airflow | =1.10.0 | |
pip/Flask-AppBuilder | <3.3.0 | 3.3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-29621 is a vulnerability in Flask-AppBuilder <= 3.2.3 that allows a non-authenticated user to enumerate existing accounts by timing the response time from the server during login.
The severity of CVE-2021-29621 is medium with a CVSS score of 5.3.
CVE-2021-29621 affects Flask-AppBuilder versions up to and including 3.2.3.
To fix CVE-2021-29621, upgrade Flask-AppBuilder to version 3.3 or higher.
Yes, Apache Airflow version 1.10.0 is also affected by CVE-2021-29621.