CVE-2021-29621: Observable Response Discrepancy in Flask-AppBuilder
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.52061%
CWE
Published
5/27/2021
Updated
3/7/2025
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Flask-AppBuilder | pip | < 3.3.0 | 3.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the auth_user_db authentication flow in versions <3.3.0. The commit diff shows a security fix where a dummy password hash check was added specifically in the user-not-found/inactive branch to balance execution time. This indicates the original implementation lacked timing attack protections. The function's control flow created different response times based on user existence (immediate return for invalid users vs. password verification for valid ones), enabling attackers to infer valid accounts through timing measurements.