CVE-2022-21659
MEDIUMFlask-AppBuilder < 3.4.4 - Unauthenticated User Enumeration via Login Timing Discrepancy
Title source: llmDescription
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
Patch, Third Party Advisory x_refsource_misc
https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
Scores
CVSS v3
5.3
EPSS
0.0094
EPSS Percentile
56.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-203
Status
published
Products (2)
dpgaspar/flask-appbuilder
< 3.4.2
pypi/Flask-AppBuilder
0 - 3.4.4PyPI
Published
Jan 31, 2022
Tracked Since
Feb 18, 2026