Moderate severityNVD Advisory· Published Jun 7, 2021· Updated Aug 3, 2024
Observable Response Discrepancy in Flask-AppBuilder
CVE-2021-29621
Description
Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Flask-AppBuilderPyPI | < 3.3.0 | 3.3.0 |
Affected products
1- Range: < 3.3.0
Patches
1780bd0e8fbf2fix: auth balance (#1634)
1 file changed · +6 −0
flask_appbuilder/security/manager.py+6 −0 modified@@ -833,6 +833,12 @@ def auth_user_db(self, username, password): if user is None: user = self.find_user(email=username) if user is None or (not user.is_active): + # Balance failure and success + check_password_hash( + "pbkdf2:sha256:150000$Z3t6fmj2$22da622d94a1f8118" + "c0976a03d2f18f680bfff877c9a965db9eedc51bc0be87c", + "password", + ) log.info(LOGMSG_WAR_SEC_LOGIN_FAILED.format(username)) return None elif check_password_hash(user.password, password):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-434h-p4gx-jm89ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29621ghsaADVISORY
- github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580ghsax_refsource_MISCWEB
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2021-90.yamlghsaWEB
- lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5%40%3Cannounce.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0%40%3Ccommits.airflow.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0@%3Ccommits.airflow.apache.org%3EghsaWEB
- pypi.org/project/Flask-AppBuilderghsaWEB
- pypi.org/project/Flask-AppBuilder/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.