Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-21659

Good to know:

icon
icon

Date: January 31, 2022

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

Language: Python

Severity Score

Related Resources (8)

https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml
https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
https://github.com/dpgaspar/Flask-AppBuilder
https://nvd.nist.gov/vuln/detail/CVE-2022-21659
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
https://www.mend.io/vulnerability-database/CVE-2022-21659

Severity Score

Weakness Type (CWE)

Observable Discrepancy

CWE-203

Observable Response Discrepancy

CWE-204

Top Fix

icon

Upgrade Version

Upgrade to version Flask-AppBuilder - 3.4.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us