CVE-2021-33026

EPSS 7.29%
Veröffentlicht 13.05.2021 23:15:07
Zuletzt bearbeitet 21.11.2024 06:08:09
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Flask-caching Project ≫ Flask-caching SwPlatformflask Version <= 1.10.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	7.29%	0.936

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937

Patch

Third Party Advisory

Issue Tracking

https://github.com/sh4nks/flask-caching/pull/209

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-33026

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-33026

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-33026

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-33026