PYSEC-2021-13

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/flask-caching/PYSEC-2021-13.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2021-13

Withdrawn

2023-07-25T12:32:00Z

Published

2021-05-13T23:15:00Z

Modified

2023-07-25T00:34:15.721702Z

Summary

[none]

Details

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.

References

Affected packages

PyPI / flask-caching

Package

Name: flask-caching; View open source insights on deps.dev
Purl: pkg:pypi/flask-caching

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.5.0

1.6.0

1.7.0

1.7.1

1.7.2

1.8.0

1.9.0

1.10.0

1.10.1

1.11.0

1.11.1

2.*

2.0.0

2.0.1

2.0.2