CVE-2022-21659 - Vulnerability Details - OpenCVE

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Dpgaspar	Flask-appbuilder

Configuration 1 [-]

cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f

History

Mon, 05 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 07 Mar 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dpgaspar Dpgaspar flask-appbuilder
CPEs	cpe:2.3:a:flask-appbuilder_project:flask-appbuilder::::::::	cpe:2.3:a:dpgaspar:flask-appbuilder::::::::
Vendors & Products	Flask-appbuilder Project Flask-appbuilder Project flask-appbuilder	Dpgaspar Dpgaspar flask-appbuilder

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-01-31T20:20:40.000Z

Updated: 2025-05-05T16:34:10.131Z

Reserved: 2021-11-16T00:00:00.000Z

Link: CVE-2022-21659

Vulnrichment

Updated: 2024-08-03T02:46:39.326Z

NVD

Status : Modified

Published: 2022-01-31T21:15:09.013

Modified: 2025-05-05T17:17:47.010

Link: CVE-2022-21659

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-31T20:20:40.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"}], "source": {"advisory": "GHSA-wfjw-w6pv-8p7f", "discovery": "UNKNOWN"}, "title": "Observable Response Discrepancy in Flask-AppBuilder", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2022-21659", "STATE": "PUBLIC", "TITLE": "Observable Response Discrepancy in Flask-AppBuilder"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f", "refsource": "CONFIRM", "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"}, {"name": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775", "refsource": "MISC", "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"}]}, "source": {"advisory": "GHSA-wfjw-w6pv-8p7f", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:46:39.326Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-203", "lang": "en", "description": "CWE-203 Observable Discrepancy"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T15:44:49.758400Z", "id": "CVE-2022-21659", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T16:34:10.131Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-21659", "datePublished": "2022-01-31T20:20:40.000Z", "dateReserved": "2021-11-16T00:00:00.000Z", "dateUpdated": "2025-05-05T16:34:10.131Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:46:39.326Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-21659", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T15:44:49.758400Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T13:16:44.259Z"}}], "cna": {"title": "Observable Response Discrepancy in Flask-AppBuilder", "source": {"advisory": "GHSA-wfjw-w6pv-8p7f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-01-31T20:20:40.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"advisory": "GHSA-wfjw-w6pv-8p7f", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f", "name": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f", "refsource": "CONFIRM"}, {"url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775", "name": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-21659", "STATE": "PUBLIC", "TITLE": "Observable Response Discrepancy in Flask-AppBuilder", "ASSIGNER": "[email protected]"}}}}, "cveMetadata": {"cveId": "CVE-2022-21659", "state": "PUBLISHED", "dateUpdated": "2025-05-05T16:34:10.131Z", "dateReserved": "2021-11-16T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-01-31T20:20:40.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*", "matchCriteriaId": "66F472EA-B2C9-48A3-93B4-8B5CD4CE80BD", "versionEndExcluding": "3.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue."}, {"lang": "es", "value": "Flask-AppBuilder es un marco de desarrollo de aplicaciones, construido sobre el marco web Flask. En las versiones afectadas se presenta una vulnerabilidad de enumeraci\u00f3n de usuarios. Esta vulnerabilidad permite a un usuario no autenticado enumerar las cuentas existentes cronometrando el tiempo de respuesta del servidor cuando est\u00e1 inici\u00e1ndose la sesi\u00f3n. Se recomienda a usuarios actualizar a versi\u00f3n 3.4.4 lo antes posible. No se presentan medidas de mitigaci\u00f3n conocidas para este problema"}], "id": "CVE-2022-21659", "lastModified": "2025-05-05T17:17:47.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-01-31T21:15:09.013", "references": [{"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}