High severityNVD Advisory· Published Apr 10, 2023· Updated Feb 7, 2025
No Rate Limiting on Login AUTH DB
CVE-2023-29005
Description
Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using AUTH_RATE_LIMITED = True, RATELIMIT_ENABLED = True, and setting an AUTH_RATE_LIMIT.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Flask-AppBuilderPyPI | < 4.3.0 | 4.3.0 |
Affected products
1- Range: < 4.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-9hcr-9hcv-x6pvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29005ghsaADVISORY
- flask-limiter.readthedocs.io/en/stable/configuration.htmlghsax_refsource_MISCWEB
- github.com/dpgaspar/Flask-AppBuilder/pull/1976ghsaWEB
- github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.0ghsaWEB
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.