CVE-2022-21659 Vulnerability Analysis & Exploit Details

CVE-2022-21659 Vulnerability Summary

CVE-2022-21659: Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.

Exploit Prediction Scoring System (EPSS)

The EPSS score estimates the probability that this vulnerability will be exploited in the near future.

EPSS Score: 0.071% (probability of exploit)

EPSS Percentile: 34.09% (lower percentile = lower relative risk)
This vulnerability is less risky than approximately 65.91% of others.

CVE-2022-21659 References

External References

• https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
• https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
• https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
• https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f

CWE Common Weakness Enumeration

CAPEC Common Attack Pattern Enumeration and Classification

• Black Box Reverse Engineering CAPEC-189 An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.

Vulnerable Configurations

• cpe:2.3:a:dpgaspar:flask-appbuilder:-:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:-:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.8.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.8.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.2:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.2:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.3:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.3:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.4:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.4:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.5:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.5:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.6:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.9.6:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.10.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.10.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.11.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.11.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.11.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.11.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.2:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.2:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.3:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.3:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.4:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.4:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.5:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.12.5:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.13.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.13.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:1.13.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:1.13.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.2:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.3:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.3:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.4:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.4:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.5:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.5:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.6:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.7:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.7:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.8:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.8:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.9:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.9:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.10:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.10:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.11:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.11:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.12:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.12:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.13:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.1.13:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.1:-:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.1:-:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.1:rc1:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.1:rc1:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.3:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.3:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.4:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.2.4:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.3:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.4:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:2.3.4:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.0.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.1.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.3:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.2.3:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.3:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.4:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.3.4:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.4.0:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:dpgaspar:flask-appbuilder:3.4.1:*:*:*:*:*:*:*
  cpe:2.3:a:dpgaspar:flask-appbuilder:3.4.1:*:*:*:*:*:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2024-43107 – Improper Certificate Validation (CWE-295) in the Gallagher Milestone Integration Plugin (MIP) permits unauthenticated messages (e.g. alarm events) ...
• CVE-2024-41724 – Improper Certificate Validation (CWE-295) in the Gallagher Command Centre SALTO integration allowed an attacker to spoof the SALTO server. Thi...
• CVE-2025-2133 – A vulnerability classified as problematic was found in ftcms 2.1. Affected by this vulnerability is an unknown functionality of the file /admin/ind...
• CVE-2025-2132 – A vulnerability classified as critical has been found in ftcms 2.1. Affected is an unknown function of the file /admin/index.php/web/ajax_all_lists...
• CVE-2025-2131 – A vulnerability was found in dayrui XunRuiCMS up to 4.6.3. It has been rated as problematic. This issue affects some unknown processing of the comp...