cvelistv5 - cve-2022-21659

URL	Tags
security-advisories@github.com	https://github.com/dpgaspar/Flask-AppBuilder/pull/1775	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dpgaspar/Flask-AppBuilder/pull/1775	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f	Third Party Advisory

▼	Vendor	Product
	n/a	n/a

pysec-2022-24

Vulnerability from pysec

Published

2022-01-31 21:15

Modified

2022-02-07 21:26

Details

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask-appbuilder",
        "purl": "pkg:pypi/flask-appbuilder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.10",
        "0.1.11",
        "0.1.12",
        "0.1.13",
        "0.1.14",
        "0.1.15",
        "0.1.16",
        "0.1.17",
        "0.1.18",
        "0.1.19",
        "0.1.20",
        "0.1.21",
        "0.1.22",
        "0.1.23",
        "0.1.24",
        "0.1.25",
        "0.1.26",
        "0.1.27",
        "0.1.28",
        "0.1.29",
        "0.1.3",
        "0.1.33",
        "0.1.34",
        "0.1.35",
        "0.1.36",
        "0.1.37",
        "0.1.38",
        "0.1.4",
        "0.1.43",
        "0.1.44",
        "0.1.45",
        "0.1.46",
        "0.1.47",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.10.3",
        "0.10.4",
        "0.10.5",
        "0.10.6",
        "0.10.7",
        "0.2.0",
        "0.2.1",
        "0.2.2",
        "0.3.0",
        "0.3.1",
        "0.3.10",
        "0.3.11",
        "0.3.12",
        "0.3.13",
        "0.3.14",
        "0.3.15",
        "0.3.16",
        "0.3.17",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7",
        "0.3.8",
        "0.3.9",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.5.3",
        "0.5.4",
        "0.5.5",
        "0.5.6",
        "0.6.1",
        "0.6.10",
        "0.6.11",
        "0.6.12",
        "0.6.13",
        "0.6.14",
        "0.6.2",
        "0.6.3",
        "0.6.4",
        "0.6.5",
        "0.6.6",
        "0.6.7",
        "0.6.8",
        "0.6.9",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "1.0.0",
        "1.0.1",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.10.0",
        "1.11.0",
        "1.11.1",
        "1.12.0",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.13.0",
        "1.13.1",
        "1.2.0",
        "1.2.1",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.5.0",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.7.0",
        "1.7.1",
        "1.8.0",
        "1.8.1",
        "1.9.0",
        "1.9.1",
        "1.9.2",
        "1.9.3",
        "1.9.4",
        "1.9.5",
        "1.9.6",
        "2.0.0",
        "2.1.0",
        "2.1.1",
        "2.1.10",
        "2.1.11",
        "2.1.12",
        "2.1.13",
        "2.1.2",
        "2.1.3",
        "2.1.4",
        "2.1.5",
        "2.1.6",
        "2.1.7",
        "2.1.8",
        "2.1.9",
        "2.2.0",
        "2.2.0rc1",
        "2.2.0rc2",
        "2.2.1",
        "2.2.1rc1",
        "2.2.1rc2",
        "2.2.1rc3",
        "2.2.2",
        "2.2.2rc1",
        "2.2.2rc2",
        "2.2.2rc3",
        "2.2.3",
        "2.2.3rc1",
        "2.2.3rc2",
        "2.2.3rc3",
        "2.2.3rc4",
        "2.2.3rc5",
        "2.2.3rc6",
        "2.2.4",
        "2.2.4rc1",
        "2.3.0",
        "2.3.0rc1",
        "2.3.0rc2",
        "2.3.0rc3",
        "2.3.0rc4",
        "2.3.1",
        "2.3.1rc1",
        "2.3.2",
        "2.3.2rc1",
        "2.3.3",
        "2.3.3rc1",
        "2.3.3rc2",
        "2.3.3rc3",
        "2.3.4",
        "2.3.4rc1",
        "3.0.0",
        "3.0.0rc1",
        "3.0.0rc2",
        "3.0.0rc3",
        "3.0.0rc4",
        "3.0.1",
        "3.0.1rc1",
        "3.1.0",
        "3.1.0rc1",
        "3.1.0rc2",
        "3.1.0rc3",
        "3.1.1",
        "3.1.1rc1",
        "3.1.1rc2",
        "3.1.1rc3",
        "3.2.0",
        "3.2.0rc1",
        "3.2.0rc2",
        "3.2.1",
        "3.2.1rc1",
        "3.2.2",
        "3.2.2rc1",
        "3.2.3",
        "3.2.3rc1",
        "3.2.3rc2",
        "3.3.0",
        "3.3.0rc1",
        "3.3.1",
        "3.3.1rc1",
        "3.3.2",
        "3.3.2rc1",
        "3.3.3",
        "3.3.3rc1",
        "3.3.4",
        "3.3.4rc1",
        "3.4.0",
        "3.4.0rc1",
        "3.4.0rc2",
        "3.4.1",
        "3.4.1rc1",
        "3.4.1rc2",
        "3.4.1rc3",
        "3.4.2rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21659",
    "GHSA-wfjw-w6pv-8p7f"
  ],
  "details": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.",
  "id": "PYSEC-2022-24",
  "modified": "2022-02-07T21:26:59.516513Z",
  "published": "2022-01-31T21:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"
    }
  ]
}

gsd-2022-21659

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

Aliases

CVE-2022-21659

Aliases

CVE-2022-21659

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-21659",
    "description": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.",
    "id": "GSD-2022-21659"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-21659"
      ],
      "details": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.",
      "id": "GSD-2022-21659",
      "modified": "2023-12-13T01:19:13.967676Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-21659",
        "STATE": "PUBLIC",
        "TITLE": "Observable Response Discrepancy in Flask-AppBuilder"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f",
            "refsource": "CONFIRM",
            "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"
          },
          {
            "name": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775",
            "refsource": "MISC",
            "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-wfjw-w6pv-8p7f",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.4.2",
          "affected_versions": "All versions before 3.4.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-203",
            "CWE-937"
          ],
          "date": "2022-02-07",
          "description": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework.This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to as soon as possible. There are no known workarounds for this issue.",
          "fixed_versions": [
            "3.4.2"
          ],
          "identifier": "CVE-2022-21659",
          "identifiers": [
            "CVE-2022-21659",
            "GHSA-wfjw-w6pv-8p7f"
          ],
          "not_impacted": "All versions starting from 3.4.2",
          "package_slug": "pypi/Flask-AppBuilder",
          "pubdate": "2022-01-31",
          "solution": "Upgrade to version 3.4.2 or above.",
          "title": "Observable Discrepancy",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-21659",
            "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775",
            "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"
          ],
          "uuid": "ba15b9bb-b8e1-4506-b0a7-2bf2fbbb6595"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:flask-appbuilder_project:flask-appbuilder:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.4.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21659"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-203"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"
            },
            {
              "name": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-02-07T19:47Z",
      "publishedDate": "2022-01-31T21:15Z"
    }
  }
}

ghsa-wfjw-w6pv-8p7f

Vulnerability from github

Published

2022-02-01 00:47

Modified

2025-03-07 19:09

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Observable Response Discrepancy in Flask-AppBuilder

Details

Impact

User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.

Patches

Upgrade to 3.4.4

Workarounds

References

For more information

If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Flask-AppBuilder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-31T20:19:12Z",
    "nvd_published_at": "2022-01-31T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUser enumeration in database authentication in Flask-AppBuilder  \u003c 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.\n\n### Patches\nUpgrade to 3.4.4\n\n### Workarounds\n\n### References\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)",
  "id": "GHSA-wfjw-w6pv-8p7f",
  "modified": "2025-03-07T19:09:24Z",
  "published": "2022-02-01T00:47:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21659"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Observable Response Discrepancy in Flask-AppBuilder"
}

Action not permitted

cve-2022-21659

Vulnerability from cvelistv5

pysec-2022-24

Vulnerability from pysec

gsd-2022-21659

Vulnerability from gsd

ghsa-wfjw-w6pv-8p7f

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

Tags