Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.
References
Link | Resource |
---|---|
https://flask-limiter.readthedocs.io/en/stable/configuration.html | Product |
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv | Vendor Advisory |
Configurations
History
18 Apr 2023, 17:02
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-10 21:15
Updated : 2024-02-04 23:37
NVD link : CVE-2023-29005
Mitre link : CVE-2023-29005
CVE.ORG link : CVE-2023-29005
JSON object : View
Products Affected
flask-appbuilder_project
- flask-appbuilder
CWE
CWE-307
Improper Restriction of Excessive Authentication Attempts