Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deserialization of Untrusted Data - CVE-2021-33026 #345

Closed
gord0b opened this issue May 5, 2022 · 1 comment
Closed

Deserialization of Untrusted Data - CVE-2021-33026 #345

gord0b opened this issue May 5, 2022 · 1 comment

Comments

@gord0b
Copy link

gord0b commented May 5, 2022
edited
Loading

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The Flask-Caching extension for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.

Full Details: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKCACHING-1292339
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33026
Other Details: https://snyk.io/vuln/pip%3Aflask-caching

Environment:

  • Flask-Caching version: 1.10.1
@northernSage
Copy link
Member

northernSage commented May 24, 2022
edited
Loading

Thanks for taking the time to reach out, but this has been extensively discussed in #209 and we already offer ways of avoiding pickle with custom serializer support.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gord0b @northernSage