CVE-2021-29621 — Observable Response Discrepancy in Flask-AppBuilder

Description

Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.

How to fix CVE-2021-29621

To remediate CVE-2021-29621, upgrade the affected package to a fixed version below.

—upgrade to 1.10.1 or later
—upgrade to 3.3.0 or later
—upgrade to 780bd0e8fbf2d36ada52edb769477e0a4edae580 or later

Is CVE-2021-29621 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.10.0, < 1.10.1
from 0, < 3.3.0
from 0, < 780bd0e8fbf2d36ada52edb769477e0a4edae580 | from 0, < 3.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29621
PATCHgithub.com/dpgaspar/Flask-AppBuilder
PATCHpypi.org/project/Flask-AppBuilder/
WEBgithub.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580