Primary

Context

Flask-AppBuilder User Enumeration Vulnerability via Timing Attack

Vulnerability

Patched

A user enumeration vulnerability has been identified in Flask-AppBuilder versions prior to 4.5.3. This issue allows unauthenticated users to enumerate existing usernames by exploiting a timing attack during the login process. The vulnerability arises from the application taking varying amounts of time to respond based on the existence of the username being guessed, thereby leaking information about valid usernames.

Impact

Exploitation of this vulnerability could lead to unauthorized username enumeration, potentially facilitating further attacks such as password guessing or phishing.

Remediation

Users are advised to upgrade Flask-AppBuilder to version 4.5.3 or later. If an upgrade is not possible, downgrading Werkzeug to a version prior to 3.0.0 is recommended.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

8.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

8.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Flask-AppBuilder User Enumeration Vulnerability via Timing Attack

Vulnerability

Impact

Remediation

Affected Products

Flask-AppBuilder

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating