CVE-2021-33026

Published: May 13, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/sh4nks/flask-caching/pull/209

x_refsource_MISC

https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-33026

Description

Affected Products

References