CVE-2021-29621
MEDIUMDpgaspar Flask-appbuilder < 3.2.3 - Information Disclosure
Title source: ruleDescription
Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.
References (6)
Core 6
Core References
Third Party Advisory x_refsource_confirm
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89
Patch, Third Party Advisory x_refsource_misc
https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580
Product, Third Party Advisory x_refsource_misc
https://pypi.org/project/Flask-AppBuilder/
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5%40%3Cannounce.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0%40%3Ccommits.airflow.apache.org%3E
Scores
CVSS v3
5.3
EPSS
0.0043
EPSS Percentile
62.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-203
Status
published
Products (3)
apache/airflow
1.10.0
dpgaspar/flask-appbuilder
< 3.2.3
pypi/Flask-AppBuilder
0 - 3.3.0PyPI
Published
Jun 07, 2021
Tracked Since
Feb 18, 2026