Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.
References
Link | Resource |
---|---|
https://flask-limiter.readthedocs.io/en/stable/configuration.html | Product |
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv | Vendor Advisory |
Configurations
History
18 Apr 2023, 17:02
Type | Values Removed | Values Added |
---|---|---|
First Time |
Flask-appbuilder Project
Flask-appbuilder Project flask-appbuilder |
|
References | (MISC) https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv - Vendor Advisory | |
References | (MISC) https://flask-limiter.readthedocs.io/en/stable/configuration.html - Product | |
CPE | cpe:2.3:a:flask-appbuilder_project:flask-appbuilder:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
10 Apr 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-10 21:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-29005
Mitre link : CVE-2023-29005
CVE.ORG link : CVE-2023-29005
JSON object : View
Products Affected
flask-appbuilder_project
- flask-appbuilder
CWE
CWE-307
Improper Restriction of Excessive Authentication Attempts