Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.
References
Link | Resource |
---|---|
https://flask-limiter.readthedocs.io/en/stable/configuration.html | Product |
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-04-10T20:47:17.958Z
Updated: 2023-04-10T20:47:17.958Z
Reserved: 2023-03-29T17:39:16.142Z
Link: CVE-2023-29005
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-04-10T21:15:07.397
Modified: 2023-04-18T17:02:56.903
Link: CVE-2023-29005
JSON object: View
Redhat Information
No data.
CWE