User enumeration in database authentication in Flask-AppBuilder <= 4.5.3 and werkzeug >= 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login.
Upgrade to flask-appbuilder>=4.5.3
Downgrade werkzeug to <3.0.0
Are there any links users can visit to find out more?
{ "nvd_published_at": "2025-03-03T16:15:41Z", "cwe_ids": [ "CWE-204" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-03-03T15:26:03Z" }