Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-p8q5-cvwx-wvwp: Flask-AppBuilder Observable Response Discrepancy

Impact

User enumeration in database authentication in Flask-AppBuilder <= 4.5.3 and werkzeug >= 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login.

Patches

Upgrade to flask-appbuilder>=4.5.3

Workarounds

Downgrade werkzeug to <3.0.0

References

Are there any links users can visit to find out more?

ghsa
Open in Source
#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-24023

Flask-AppBuilder Observable Response Discrepancy

Low severity GitHub Reviewed Published Mar 3, 2025 in dpgaspar/Flask-AppBuilder • Updated Mar 3, 2025

Package

pip flask-appbuilder (pip)

Affected versions

< 4.5.3

Impact

User enumeration in database authentication in Flask-AppBuilder <= 4.5.3 and werkzeug >= 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login.

Patches

Upgrade to flask-appbuilder>=4.5.3

Workarounds

Downgrade werkzeug to <3.0.0

References

Are there any links users can visit to find out more?

References

  • GHSA-p8q5-cvwx-wvwp

Published to the GitHub Advisory Database

Mar 3, 2025

ghsa: Latest News

GHSA-wf8f-6423-gfxg: Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation
ghsa