CVE-2021-33026 - OpenCVE

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Flask-caching Project	Flask-caching

Configuration 1 [-]

cpe:2.3:a:flask-caching_project:flask-caching:*:*:*:*:*:flask:*:*

References

Link	Resource
https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937	Issue Tracking Patch Third Party Advisory
https://github.com/sh4nks/flask-caching/pull/209	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-13T22:51:20

Updated: 2022-09-16T22:55:27

Reserved: 2021-05-13T00:00:00

Link: CVE-2021-33026

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-13T23:15:07.367

Modified: 2024-05-17T01:57:47.060

Link: CVE-2021-33026

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T22:55:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/sh4nks/flask-caching/pull/209"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-33026", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sh4nks/flask-caching/pull/209", "refsource": "MISC", "url": "https://github.com/sh4nks/flask-caching/pull/209"}, {"name": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937", "refsource": "MISC", "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33026", "datePublished": "2021-05-13T22:51:20", "dateReserved": "2021-05-13T00:00:00", "dateUpdated": "2022-09-16T22:55:27", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flask-caching_project:flask-caching:*:*:*:*:*:flask:*:*", "matchCriteriaId": "04389DFA-32B3-4F65-BBDB-6321BA631F81", "versionEndIncluding": "1.10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision"}, {"lang": "es", "value": "** EN DISPUTA ** La extensi\u00f3n Flask-Caching hasta la versi\u00f3n 1.10.1 para Flask se basa en Pickle para la serializaci\u00f3n, lo que puede llevar a la ejecuci\u00f3n remota de c\u00f3digo o a la escalada local de privilegios. Si un atacante obtiene acceso al almacenamiento de la cach\u00e9 (por ejemplo, el sistema de archivos, Memcached, Redis, etc.), puede construir una carga \u00fatil manipulada, envenenar la cach\u00e9 y ejecutar c\u00f3digo Python. NOTA: un tercero indica que la explotaci\u00f3n es extremadamente improbable a menos que la m\u00e1quina ya est\u00e9 comprometida; en otros casos, el atacante no podr\u00eda escribir su carga \u00fatil en la cach\u00e9 y generar la colisi\u00f3n necesaria"}], "id": "CVE-2021-33026", "lastModified": "2024-05-17T01:57:47.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-13T23:15:07.367", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sh4nks/flask-caching/pull/209"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}