PYSEC-2021-13

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/flask-caching/PYSEC-2021-13.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2021-13
Withdrawn
2023-07-25T12:32:00Z
Published
2021-05-13T23:15:00Z
Modified
2023-07-25T00:34:15.721702Z
Summary
[none]
Details

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.

References

Affected packages

PyPI / flask-caching

Package

Name
flask-caching
Purl
pkg:pypi/flask-caching

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0

Affected versions

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.7.2
1.8.0
1.9.0
1.10.0
1.10.1
1.11.0
1.11.1

2.*

2.0.0
2.0.1
2.0.2