Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29005: No Rate Limiting on Login AUTH DB

Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using AUTH_RATE_LIMITED = True, RATELIMIT_ENABLED = True, and setting an AUTH_RATE_LIMIT.

CVE
Open in Source
#auth

Package

pip Flask-AppBuilder (pip)

Description

Impact

Lack of rate limiting will allow an attacker to brute-force user credentials

Patches

Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use AUTH_RATE_LIMITED = True and RATELIMIT_ENABLED = True set the limit itself by using AUTH_RATE_LIMIT more details on https://flask-limiter.readthedocs.io/en/stable/configuration.html. Will apply only to database authentication.

Workarounds

Implement rate limiting using a reverse proxy or other strategies.

Related news

GHSA-9hcr-9hcv-x6pv: Flask-AppBuilder Has No Rate Limiting on Login AUTH DB

### Impact Lack of rate limiting will allow an attacker to brute-force user credentials. ### Patches Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use `AUTH_RATE_LIMITED = True` and `RATELIMIT_ENABLED = True` set the limit itself by using `AUTH_RATE_LIMIT`. Will apply only to database authentication. ### Workarounds Implement rate limiting using a reverse proxy or other strategies.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE