CVE-2021-33026

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-33026
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33026.json
Aliases
Withdrawn
2022-09-16T22:55:27Z
Published
2021-05-13T23:15:07Z
Modified
2023-11-29T08:54:47.851364Z
Summary
[none]
Details

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

References

Affected packages

Git / github.com/sh4nks/flask-caching

Affected ranges

Type
GIT
Repo
https://github.com/sh4nks/flask-caching
Events
Introduced
0The exact introduced commit is unknown
Last affected
31f6949c499dc8b57ce1db04c1841105d4631eb1

Affected versions

1.*

1.0.0

R-0.*

R-0.10
R-0.11
R-0.3
R-0.3.1
R-0.3.2
R-0.3.3
R-0.4
R-0.6
R-0.7
R-0.8

R-1.*

R-1.7.1

v1.*

v1.10.0
v1.10.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.9.0