-
-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deserialization of Untrusted Data - CVE-2021-33026 #345
Comments
Thanks for taking the time to reach out, but this has been extensively discussed in #209 and we already offer ways of avoiding pickle with custom serializer support. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The Flask-Caching extension for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.
Full Details: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKCACHING-1292339
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33026
Other Details: https://snyk.io/vuln/pip%3Aflask-caching
Environment:
The text was updated successfully, but these errors were encountered: