First published: Mon Apr 10 2023(Updated: )
Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Flask-appbuilder Project Flask-appbuilder | <4.3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-29005 is a vulnerability in Flask-AppBuilder versions before 4.3.0 that lacks rate limiting, enabling attackers to brute-force user credentials.
An attacker can exploit CVE-2023-29005 by using brute-force techniques to try various combinations of user credentials until they find a valid match.
CVE-2023-29005 has a severity rating of 7.5 (high).
To fix CVE-2023-29005, upgrade to Flask-AppBuilder version 4.3.0 or higher, and enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and set an `AUTH_RATE_LIMIT` value.
You can find more information about CVE-2023-29005 in the references section of the vulnerability advisory.