Miggo Logo

CVE-2021-29621: Observable Response Discrepancy in Flask-AppBuilder

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.52061%
Published
5/27/2021
Updated
3/7/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Flask-AppBuilderpip< 3.3.03.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the auth_user_db authentication flow in versions <3.3.0. The commit diff shows a security fix where a dummy password hash check was added specifically in the user-not-found/inactive branch to balance execution time. This indicates the original implementation lacked timing attack protections. The function's control flow created different response times based on user existence (immediate return for invalid users vs. password verification for valid ones), enabling attackers to infer valid accounts through timing measurements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*r *num*r*tion in **t***s* *ut**nti**tion in *l*sk-*pp*uil**r <= *.*.*. *llows *or * non *ut**nti**t** us*r to *num*r*t* *xistin* ***ounts *y timin* t** r*spons* tim* *rom t** s*rv*r w**n you *r* lo**in* in. ### P*t***s Up*r*** to *.*.*

Reasoning

T** vuln*r**ility st*ms *rom t** *ut*_us*r_** *ut**nti**tion *low in v*rsions <*.*.*. T** *ommit *i** s*ows * s**urity *ix w**r* * *ummy p*sswor* **s* ****k w*s ***** sp**i*i**lly in t** us*r-not-*oun*/in**tiv* *r*n** to **l*n** *x**ution tim*. T*is