Login Sign Up

CVE-2023-29005

7.5 HIGH
Authentication Bypass

📋 TL;DR

Flask-AppBuilder versions before 4.3.0 lack built-in rate limiting for authentication endpoints, allowing attackers to perform unlimited brute-force attacks against user credentials. This affects all deployments using vulnerable versions of Flask-AppBuilder with authentication enabled.

💻 Affected Systems

Products:
  • Flask-AppBuilder
Versions: All versions before 4.3.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with authentication enabled. Rate limiting is disabled by default in vulnerable versions.

📦 What is this software?

Flask Appbuilder by Dpgaspar

View all CVEs affecting Flask Appbuilder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could brute-force administrator credentials, gain full system access, and compromise sensitive data or deploy ransomware.

🟠

Likely Case

Attackers brute-force user accounts to gain unauthorized access, potentially leading to data theft or privilege escalation.

🟢

If Mitigated

With rate limiting enabled, brute-force attempts are blocked after threshold, preventing credential compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No authentication required for login attempts. Simple tools like Hydra or Burp Intruder can exploit this.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.0 and later

Vendor Advisory: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv

Restart Required: Yes

Instructions:

1. Upgrade to Flask-AppBuilder 4.3.0 or later. 2. Enable rate limiting by setting AUTH_RATE_LIMITED = True, RATELIMIT_ENABLED = True, and configuring AUTH_RATE_LIMIT. 3. Restart the application.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Configure WAF rules to limit authentication attempts per IP address.

Reverse Proxy Rate Limiting

linux

Use nginx or Apache to implement rate limiting at the proxy layer.

nginx example: limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;
Add 'limit_req zone=auth burst=10 nodelay;' to auth location block

🧯 If You Can't Patch

  • Implement network-level rate limiting using firewalls or load balancers.
  • Enable account lockout policies after failed attempts if supported.

🔍 How to Verify

Check if Vulnerable:

Check Flask-AppBuilder version in requirements.txt or via pip show Flask-AppBuilder. If version < 4.3.0, check if AUTH_RATE_LIMITED and RATELIMIT_ENABLED are set to True in configuration.

Check Version:

pip show Flask-AppBuilder | grep Version

Verify Fix Applied:

After upgrade, verify version is ≥4.3.0 and test authentication endpoint with rapid requests - should receive 429 Too Many Requests after limit.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts from same IP address
  • Unusual high volume of POST requests to /login endpoint

Network Indicators:

  • High volume of authentication requests
  • Pattern of sequential username/password attempts

SIEM Query:

source="app.log" AND "POST /login" AND status=401 | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2023-29005
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-307
Published: April 10, 2023
Last Updated: March 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29005, you might also want to check these:

CVE-2023-1665 9.8

This vulnerability allows attackers to perform unlimited authentication attempts against Twake insta...

Same vulnerability type (CWE-307)
CVE-2020-28212 9.8

This vulnerability allows attackers to perform brute force attacks against the PLC Simulator in EcoS...

Same vulnerability type (CWE-307)
CVE-2024-9342 9.8

CVE-2024-9342 allows attackers to perform unlimited brute-force login attempts against Eclipse Glass...

Same vulnerability type (CWE-307)