CVE-2021-33026

Name
CVE-2021-33026
Description
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/sh4nks/flask-caching/pull/209
Issue Tracking https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:flask-caching_project:flask-caching:*:*:*:*:*:flask:*:* flask-caching >= None <= 1.10.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status