cvelistv5 - CVE-2025-24023

CVE-2025-24023 (GCVE-0-2025-24023)

Vulnerability from cvelistv5 – Published: 2025-03-03 15:25 – Updated: 2025-03-03 18:41

Summary

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-204 - Observable Response Discrepancy

Assigner

GitHub_M

References

URL

Tags

https://github.com/dpgaspar/Flask-AppBuilder/secu…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	dpgaspar	Flask-AppBuilder	Affected: < 4.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24023",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-03T18:41:12.287165Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-03T18:41:23.427Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Flask-AppBuilder",
          "vendor": "dpgaspar",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-03T15:25:55.437Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp"
        }
      ],
      "source": {
        "advisory": "GHSA-p8q5-cvwx-wvwp",
        "discovery": "UNKNOWN"
      },
      "title": "Observable Response Discrepancy in flask-appbuilder"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24023",
    "datePublished": "2025-03-03T15:25:55.437Z",
    "dateReserved": "2025-01-16T17:31:06.459Z",
    "dateUpdated": "2025-03-03T18:41:23.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-24023\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-03T16:15:41.820\",\"lastModified\":\"2025-03-07T21:44:56.620\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.\"},{\"lang\":\"es\",\"value\":\"Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versi\u00f3n 4.5.3, Flask-AppBuilder permite a los usuarios no autenticados enumerar nombres de usuario existentes cronometrando el tiempo de respuesta del servidor cuando se fuerzan solicitudes de inicio de sesi\u00f3n. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 4.5.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-204\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.3\",\"matchCriteriaId\":\"BF28CA72-015B-43B1-A97C-02EA08C00137\"}]}]}],\"references\":[{\"url\":\"https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Observable Response Discrepancy in flask-appbuilder\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-204\", \"lang\": \"en\", \"description\": \"CWE-204: Observable Response Discrepancy\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp\"}], \"affected\": [{\"vendor\": \"dpgaspar\", \"product\": \"Flask-AppBuilder\", \"versions\": [{\"version\": \"\u003c 4.5.3\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-03T15:25:55.437Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.\"}], \"source\": {\"advisory\": \"GHSA-p8q5-cvwx-wvwp\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24023\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-03T18:41:12.287165Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T18:41:18.673Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-24023\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-01-16T17:31:06.459Z\", \"datePublished\": \"2025-03-03T15:25:55.437Z\", \"dateUpdated\": \"2025-03-03T18:41:23.427Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-P8Q5-CVWX-WVWP

Vulnerability from github – Published: 2025-03-03 15:26 – Updated: 2025-04-09 20:01

Summary

Flask-AppBuilder Observable Response Discrepancy

Details

Impact

User enumeration in database authentication in Flask-AppBuilder <= 4.5.3 and werkzeug >= 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login.

Patches

Upgrade to flask-appbuilder>=4.5.3

Workarounds

Downgrade werkzeug to <3.0.0

References

Are there any links users can visit to find out more?

Severity ?

3.7 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask-appbuilder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T15:26:03Z",
    "nvd_published_at": "2025-03-03T16:15:41Z",
    "severity": "LOW"
  },
  "details": "### Impact\nUser enumeration in database authentication in Flask-AppBuilder \u003c= 4.5.3 and werkzeug \u003e= 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login.\n\n### Patches\n\nUpgrade to flask-appbuilder\u003e=4.5.3\n\n### Workarounds\nDowngrade werkzeug to \u003c3.0.0\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-p8q5-cvwx-wvwp",
  "modified": "2025-04-09T20:01:40Z",
  "published": "2025-03-03T15:26:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24023"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2025-15.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flask-AppBuilder Observable Response Discrepancy"
}

FKIE_CVE-2025-24023

Vulnerability from fkie_nvd - Published: 2025-03-03 16:15 - Updated: 2025-03-07 21:44

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp	Vendor Advisory

Impacted products

	Vendor	Product	Version
	dpgaspar	flask-appbuilder	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BF28CA72-015B-43B1-A97C-02EA08C00137",
              "versionEndExcluding": "4.5.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3."
    },
    {
      "lang": "es",
      "value": "Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versi\u00f3n 4.5.3, Flask-AppBuilder permite a los usuarios no autenticados enumerar nombres de usuario existentes cronometrando el tiempo de respuesta del servidor cuando se fuerzan solicitudes de inicio de sesi\u00f3n. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 4.5.3."
    }
  ],
  "id": "CVE-2025-24023",
  "lastModified": "2025-03-07T21:44:56.620",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-03T16:15:41.820",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-204"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

PYSEC-2025-15

Vulnerability from pysec - Published: 2025-03-03 16:15 - Updated: 2025-04-09 17:27

Details

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Impacted products

Name	purl
flask-appbuilder	pkg:pypi/flask-appbuilder

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask-appbuilder",
        "purl": "pkg:pypi/flask-appbuilder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.10",
        "0.1.11",
        "0.1.12",
        "0.1.13",
        "0.1.14",
        "0.1.15",
        "0.1.16",
        "0.1.17",
        "0.1.18",
        "0.1.19",
        "0.1.20",
        "0.1.21",
        "0.1.22",
        "0.1.23",
        "0.1.24",
        "0.1.25",
        "0.1.26",
        "0.1.27",
        "0.1.28",
        "0.1.29",
        "0.1.3",
        "0.1.33",
        "0.1.34",
        "0.1.35",
        "0.1.36",
        "0.1.37",
        "0.1.38",
        "0.1.4",
        "0.1.43",
        "0.1.44",
        "0.1.45",
        "0.1.46",
        "0.1.47",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.10.3",
        "0.10.4",
        "0.10.5",
        "0.10.6",
        "0.10.7",
        "0.2.0",
        "0.2.1",
        "0.2.2",
        "0.3.0",
        "0.3.1",
        "0.3.10",
        "0.3.11",
        "0.3.12",
        "0.3.13",
        "0.3.14",
        "0.3.15",
        "0.3.16",
        "0.3.17",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7",
        "0.3.8",
        "0.3.9",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.5.3",
        "0.5.4",
        "0.5.5",
        "0.5.6",
        "0.6.1",
        "0.6.10",
        "0.6.11",
        "0.6.12",
        "0.6.13",
        "0.6.14",
        "0.6.2",
        "0.6.3",
        "0.6.4",
        "0.6.5",
        "0.6.6",
        "0.6.7",
        "0.6.8",
        "0.6.9",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "1.0.0",
        "1.0.1",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.10.0",
        "1.11.0",
        "1.11.1",
        "1.12.0",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.13.0",
        "1.13.1",
        "1.2.0",
        "1.2.1",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.5.0",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.7.0",
        "1.7.1",
        "1.8.0",
        "1.8.1",
        "1.9.0",
        "1.9.1",
        "1.9.2",
        "1.9.3",
        "1.9.4",
        "1.9.5",
        "1.9.6",
        "2.0.0",
        "2.1.0",
        "2.1.1",
        "2.1.10",
        "2.1.11",
        "2.1.12",
        "2.1.13",
        "2.1.2",
        "2.1.3",
        "2.1.4",
        "2.1.5",
        "2.1.6",
        "2.1.7",
        "2.1.8",
        "2.1.9",
        "2.2.0",
        "2.2.0rc1",
        "2.2.0rc2",
        "2.2.1",
        "2.2.1rc1",
        "2.2.1rc2",
        "2.2.1rc3",
        "2.2.2",
        "2.2.2rc1",
        "2.2.2rc2",
        "2.2.2rc3",
        "2.2.3",
        "2.2.3rc1",
        "2.2.3rc2",
        "2.2.3rc3",
        "2.2.3rc4",
        "2.2.3rc5",
        "2.2.3rc6",
        "2.2.4",
        "2.2.4rc1",
        "2.3.0",
        "2.3.0rc1",
        "2.3.0rc2",
        "2.3.0rc3",
        "2.3.0rc4",
        "2.3.1",
        "2.3.1rc1",
        "2.3.2",
        "2.3.2rc1",
        "2.3.3",
        "2.3.3rc1",
        "2.3.3rc2",
        "2.3.3rc3",
        "2.3.4",
        "2.3.4rc1",
        "3.0.0",
        "3.0.0rc1",
        "3.0.0rc2",
        "3.0.0rc3",
        "3.0.0rc4",
        "3.0.1",
        "3.0.1rc1",
        "3.1.0",
        "3.1.0rc1",
        "3.1.0rc2",
        "3.1.0rc3",
        "3.1.1",
        "3.1.1rc1",
        "3.1.1rc2",
        "3.1.1rc3",
        "3.2.0",
        "3.2.0rc1",
        "3.2.0rc2",
        "3.2.1",
        "3.2.1rc1",
        "3.2.2",
        "3.2.2rc1",
        "3.2.3",
        "3.2.3rc1",
        "3.2.3rc2",
        "3.3.0",
        "3.3.0rc1",
        "3.3.1",
        "3.3.1rc1",
        "3.3.2",
        "3.3.2rc1",
        "3.3.3",
        "3.3.3rc1",
        "3.3.4",
        "3.3.4rc1",
        "3.4.0",
        "3.4.0rc1",
        "3.4.0rc2",
        "3.4.1",
        "3.4.1rc1",
        "3.4.1rc2",
        "3.4.1rc3",
        "3.4.2",
        "3.4.2rc1",
        "3.4.3",
        "3.4.3rc1",
        "3.4.3rc2",
        "3.4.4",
        "3.4.4rc1",
        "3.4.5",
        "3.4.5rc1",
        "4.0.0",
        "4.0.0rc1",
        "4.0.0rc2",
        "4.0.0rc3",
        "4.0.1rc1",
        "4.1.0",
        "4.1.1",
        "4.1.1rc1",
        "4.1.2",
        "4.1.2rc1",
        "4.1.3",
        "4.1.3rc1",
        "4.1.4",
        "4.1.4rc1",
        "4.1.5",
        "4.1.5rc1",
        "4.1.6",
        "4.1.6rc1",
        "4.1.7rc1",
        "4.2.0",
        "4.2.0rc1",
        "4.2.1",
        "4.2.1rc1",
        "4.2.2rc1",
        "4.3.0",
        "4.3.0rc1",
        "4.3.1",
        "4.3.10",
        "4.3.10rc1",
        "4.3.11",
        "4.3.11rc1",
        "4.3.1rc1",
        "4.3.2",
        "4.3.2rc1",
        "4.3.2rc2",
        "4.3.3",
        "4.3.3rc1",
        "4.3.3rc2",
        "4.3.4",
        "4.3.4rc1",
        "4.3.5",
        "4.3.5rc1",
        "4.3.5rc2",
        "4.3.6",
        "4.3.6rc1",
        "4.3.7",
        "4.3.7rc1",
        "4.3.8",
        "4.3.8rc1",
        "4.3.9",
        "4.3.9rc1",
        "4.4.0",
        "4.4.0rc1",
        "4.4.1",
        "4.4.1rc2",
        "4.5.0",
        "4.5.0rc1",
        "4.5.1",
        "4.5.1rc1",
        "4.5.2",
        "4.5.2rc1",
        "4.5.3rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24023",
    "GHSA-p8q5-cvwx-wvwp"
  ],
  "details": "Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.",
  "id": "PYSEC-2025-15",
  "modified": "2025-04-09T17:27:25.227116+00:00",
  "published": "2025-03-03T16:15:41+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-24023 (GCVE-0-2025-24023)

GHSA-P8Q5-CVWX-WVWP

Impact

Patches

Workarounds

References

FKIE_CVE-2025-24023

PYSEC-2025-15

Tags

Sightings

Nomenclature