First published: Mon Jan 31 2022(Updated: )
### Impact User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. ### Patches Upgrade to 3.4.4 ### Workarounds ### References ### For more information If you have any questions or comments about this advisory: * Open an issue in [example link to repo](http://example.com) * Email us at [example email address](mailto:example@example.com)
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Flask-appbuilder Project Flask-appbuilder | <3.4.2 | |
pip/Flask-AppBuilder | <3.4.4 | 3.4.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-21659 is a user enumeration vulnerability in Flask-AppBuilder, allowing unauthenticated users to enumerate existing accounts.
CVE-2022-21659 has a severity rating of 5.3 (medium).
CVE-2022-21659 allows attackers to determine the existence of user accounts by timing the response time from the server.
Flask-AppBuilder versions up to 3.4.2 are affected by CVE-2022-21659.
To mitigate CVE-2022-21659, it is recommended to update Flask-AppBuilder to a version beyond 3.4.2.