GoogleOSV:GHSA-9HCR-9HCV-X6PVFlask-AppBuilder Has No Rate Limiting on Login AUTH DB
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
52.3%
Impact
Lack of rate limiting will allow an attacker to brute-force user credentials.
Patches
Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use AUTH_RATE_LIMITED = True and RATELIMIT_ENABLED = True set the limit itself by using AUTH_RATE_LIMIT. Will apply only to database authentication.
Workarounds
Implement rate limiting using a reverse proxy or other strategies.
References
flask-limiter.readthedocs.io/en/stable/configuration.html
github.com/dpgaspar/Flask-AppBuilder
github.com/dpgaspar/Flask-AppBuilder/pull/1976
github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.0
github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv
nvd.nist.gov/vuln/detail/CVE-2023-29005
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
52.3%