CVE-2021-29621
Summary
| CVE | CVE-2021-29621 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-06-07 19:15:00 UTC |
|---|
| Updated | 2023-11-07 03:32:00 UTC |
|---|
| Description | Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [announce] 20210618 Apache Airflow CVE: CVE-2021-29621: User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| [announce] 20210623 Success at Apache: Security in Practice |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| fix: auth balance (#1634) · dpgaspar/Flask-AppBuilder@780bd0e · GitHub |
MISC |
github.com |
|
| Flask-AppBuilder · PyPI |
MISC |
pypi.org |
|
| Observable Response Discrepancy in Flask-AppBuilder · Advisory · dpgaspar/Flask-AppBuilder · GitHub |
CONFIRM |
github.com |
|
| [airflow-commits] 20210712 [GitHub] [airflow] ashb commented on pull request #16942: Relax version constraint on ``Flask-Appbuilder`` |
|
lists.apache.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 981343 Python (pip) Security Update for Flask-AppBuilder (GHSA-434h-p4gx-jm89)
