CVE-2021-29621

Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.
Configurations

Configuration 1 (hide)

cpe:2.3:a:flask-appbuilder_project:flask-appbuilder:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:apache:airflow:1.10.0:*:*:*:*:*:*:*

History

21 Nov 2024, 06:01

Type Values Removed Values Added
References () https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580 - Patch, Third Party Advisory () https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580 - Patch, Third Party Advisory
References () https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89 - Third Party Advisory () https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89 - Third Party Advisory
References () https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3E - () https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3E -
References () https://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5%40%3Cannounce.apache.org%3E - () https://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5%40%3Cannounce.apache.org%3E -
References () https://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0%40%3Ccommits.airflow.apache.org%3E - () https://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0%40%3Ccommits.airflow.apache.org%3E -
References () https://pypi.org/project/Flask-AppBuilder/ - Product, Third Party Advisory () https://pypi.org/project/Flask-AppBuilder/ - Product, Third Party Advisory

07 Nov 2023, 03:32

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5@%3Cannounce.apache.org%3E', 'name': '[announce] 20210618 Apache Airflow CVE: CVE-2021-29621: User enumeration in database authentication in Flask-AppBuilder <= 3.2.3.', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E', 'name': '[announce] 20210623 Success at Apache: Security in Practice', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0@%3Ccommits.airflow.apache.org%3E', 'name': '[airflow-commits] 20210712 [GitHub] [airflow] ashb commented on pull request #16942: Relax version constraint on ``Flask-Appbuilder``', 'tags': ['Third Party Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3E -
  • () https://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5%40%3Cannounce.apache.org%3E -
  • () https://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0%40%3Ccommits.airflow.apache.org%3E -

Information

Published : 2021-06-07 19:15

Updated : 2024-11-21 06:01


NVD link : CVE-2021-29621

Mitre link : CVE-2021-29621

CVE.ORG link : CVE-2021-29621


JSON object : View

Products Affected

flask-appbuilder_project

  • flask-appbuilder

apache

  • airflow
CWE
CWE-203

Observable Discrepancy