CVE-2025-24023

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

F

lask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

References

Link	Resource
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*

History

07 Mar 2025, 21:44

Type	Values Removed	Values Added
First Time		Dpgaspar Dpgaspar flask-appbuilder
CWE		CWE-203
CPE		cpe:2.3:a:dpgaspar:flask-appbuilder::::::::
Summary		(es) Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versión 4.5.3, Flask-AppBuilder permite a los usuarios no autenticados enumerar nombres de usuario existentes cronometrando el tiempo de respuesta del servidor cuando se fuerzan solicitudes de inicio de sesión. Esta vulnerabilidad se solucionó en la versión 4.5.3.
References	~~() https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp -~~	() https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp - Vendor Advisory

03 Mar 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-03 16:15

Updated : 2025-03-07 21:44

NVD link : CVE-2025-24023

Mitre link : CVE-2025-24023

CVE.ORG link : CVE-2025-24023

JSON object : View

Products Affected

flask-appbuilder

CWE

CWE-204

Observable Response Discrepancy

CWE-203

Observable Discrepancy

{"id": "CVE-2025-24023", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-03-03T16:15:41.820", "references": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-204"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3."}, {"lang": "es", "value": "Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versi\u00f3n 4.5.3, Flask-AppBuilder permite a los usuarios no autenticados enumerar nombres de usuario existentes cronometrando el tiempo de respuesta del servidor cuando se fuerzan solicitudes de inicio de sesi\u00f3n. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 4.5.3."}], "lastModified": "2025-03-07T21:44:56.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF28CA72-015B-43B1-A97C-02EA08C00137", "versionEndExcluding": "4.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}