CVE-2021-29621
Observable Response Discrepancy in Flask-AppBuilder
In short
Flask-AppBuilder allows attackers to discover which user accounts exist in the system by measuring how long the login page takes to respond. This happens because the server responds differently for valid usernames versus invalid ones, leaking information without needing a password.
Technical detail
A timing side-channel vulnerability in Flask-AppBuilder's database authentication (versions ≤ 3.2.3) enables unauthenticated user enumeration through response time discrepancies. An attacker can distinguish between valid and invalid usernames by analyzing login response times, facilitating targeted credential attacks. Mitigation requires upgrade to version 3.3.0 or later.
Summary generated and translated by AI from the official description.
Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
dpgaspar · Flask-AppBuilderWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0%40%3Ccommits.airflow.apache.org%3Ehttps://pypi.org/project/Flask-AppBuilder/