PYSEC-2022-24

Vulnerability from pysec - Published: 2022-01-31 21:15 - Updated: 2022-02-07 21:26
VLAI?
Details

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

Impacted products
Name purl
flask-appbuilder pkg:pypi/flask-appbuilder
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask-appbuilder",
        "purl": "pkg:pypi/flask-appbuilder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.10",
        "0.1.11",
        "0.1.12",
        "0.1.13",
        "0.1.14",
        "0.1.15",
        "0.1.16",
        "0.1.17",
        "0.1.18",
        "0.1.19",
        "0.1.20",
        "0.1.21",
        "0.1.22",
        "0.1.23",
        "0.1.24",
        "0.1.25",
        "0.1.26",
        "0.1.27",
        "0.1.28",
        "0.1.29",
        "0.1.3",
        "0.1.33",
        "0.1.34",
        "0.1.35",
        "0.1.36",
        "0.1.37",
        "0.1.38",
        "0.1.4",
        "0.1.43",
        "0.1.44",
        "0.1.45",
        "0.1.46",
        "0.1.47",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.10.3",
        "0.10.4",
        "0.10.5",
        "0.10.6",
        "0.10.7",
        "0.2.0",
        "0.2.1",
        "0.2.2",
        "0.3.0",
        "0.3.1",
        "0.3.10",
        "0.3.11",
        "0.3.12",
        "0.3.13",
        "0.3.14",
        "0.3.15",
        "0.3.16",
        "0.3.17",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7",
        "0.3.8",
        "0.3.9",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.5.3",
        "0.5.4",
        "0.5.5",
        "0.5.6",
        "0.6.1",
        "0.6.10",
        "0.6.11",
        "0.6.12",
        "0.6.13",
        "0.6.14",
        "0.6.2",
        "0.6.3",
        "0.6.4",
        "0.6.5",
        "0.6.6",
        "0.6.7",
        "0.6.8",
        "0.6.9",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "1.0.0",
        "1.0.1",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.10.0",
        "1.11.0",
        "1.11.1",
        "1.12.0",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.13.0",
        "1.13.1",
        "1.2.0",
        "1.2.1",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.5.0",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.7.0",
        "1.7.1",
        "1.8.0",
        "1.8.1",
        "1.9.0",
        "1.9.1",
        "1.9.2",
        "1.9.3",
        "1.9.4",
        "1.9.5",
        "1.9.6",
        "2.0.0",
        "2.1.0",
        "2.1.1",
        "2.1.10",
        "2.1.11",
        "2.1.12",
        "2.1.13",
        "2.1.2",
        "2.1.3",
        "2.1.4",
        "2.1.5",
        "2.1.6",
        "2.1.7",
        "2.1.8",
        "2.1.9",
        "2.2.0",
        "2.2.0rc1",
        "2.2.0rc2",
        "2.2.1",
        "2.2.1rc1",
        "2.2.1rc2",
        "2.2.1rc3",
        "2.2.2",
        "2.2.2rc1",
        "2.2.2rc2",
        "2.2.2rc3",
        "2.2.3",
        "2.2.3rc1",
        "2.2.3rc2",
        "2.2.3rc3",
        "2.2.3rc4",
        "2.2.3rc5",
        "2.2.3rc6",
        "2.2.4",
        "2.2.4rc1",
        "2.3.0",
        "2.3.0rc1",
        "2.3.0rc2",
        "2.3.0rc3",
        "2.3.0rc4",
        "2.3.1",
        "2.3.1rc1",
        "2.3.2",
        "2.3.2rc1",
        "2.3.3",
        "2.3.3rc1",
        "2.3.3rc2",
        "2.3.3rc3",
        "2.3.4",
        "2.3.4rc1",
        "3.0.0",
        "3.0.0rc1",
        "3.0.0rc2",
        "3.0.0rc3",
        "3.0.0rc4",
        "3.0.1",
        "3.0.1rc1",
        "3.1.0",
        "3.1.0rc1",
        "3.1.0rc2",
        "3.1.0rc3",
        "3.1.1",
        "3.1.1rc1",
        "3.1.1rc2",
        "3.1.1rc3",
        "3.2.0",
        "3.2.0rc1",
        "3.2.0rc2",
        "3.2.1",
        "3.2.1rc1",
        "3.2.2",
        "3.2.2rc1",
        "3.2.3",
        "3.2.3rc1",
        "3.2.3rc2",
        "3.3.0",
        "3.3.0rc1",
        "3.3.1",
        "3.3.1rc1",
        "3.3.2",
        "3.3.2rc1",
        "3.3.3",
        "3.3.3rc1",
        "3.3.4",
        "3.3.4rc1",
        "3.4.0",
        "3.4.0rc1",
        "3.4.0rc2",
        "3.4.1",
        "3.4.1rc1",
        "3.4.1rc2",
        "3.4.1rc3",
        "3.4.2rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21659",
    "GHSA-wfjw-w6pv-8p7f"
  ],
  "details": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.",
  "id": "PYSEC-2022-24",
  "modified": "2022-02-07T21:26:59.516513Z",
  "published": "2022-01-31T21:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.