CVE-2021-33026 - Vulnerability Details - OpenCVE

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Flask-caching Project	Flask-caching

Configuration 1 [-]

cpe:2.3:a:flask-caching_project:flask-caching:*:*:*:*:*:flask:*:*

No data.

References

Link	Providers
https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937
https://github.com/sh4nks/flask-caching/pull/209

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-13T22:51:20

Updated: 2024-08-03T23:42:19.075Z

Reserved: 2021-05-13T00:00:00

Link: CVE-2021-33026

Vulnrichment

Updated: 2024-08-03T23:42:19.075Z

NVD

Status : Modified

Published: 2021-05-13T23:15:07.367

Modified: 2024-11-21T06:08:09.140

Link: CVE-2021-33026

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T22:55:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/sh4nks/flask-caching/pull/209"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2021-33026", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sh4nks/flask-caching/pull/209", "refsource": "MISC", "url": "https://github.com/sh4nks/flask-caching/pull/209"}, {"name": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937", "refsource": "MISC", "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}]}}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "affected": [{"vendor": "flask-caching_project", "product": "flask-caching", "cpes": ["cpe:2.3:a:flask-caching_project:flask-caching:*:*:*:*:*:flask:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.10.1", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T18:22:56.685627Z", "id": "CVE-2021-33026", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T18:25:49.436Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:19.075Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sh4nks/flask-caching/pull/209"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33026", "datePublished": "2021-05-13T22:51:20", "dateReserved": "2021-05-13T00:00:00", "dateUpdated": "2024-08-03T23:42:19.075Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/sh4nks/flask-caching/pull/209", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:19.075Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-33026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-19T18:22:56.685627Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:flask-caching_project:flask-caching:*:*:*:*:*:flask:*:*"], "vendor": "flask-caching_project", "product": "flask-caching", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.10.1"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T18:25:31.929Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/sh4nks/flask-caching/pull/209", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-09-16T22:55:27"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/sh4nks/flask-caching/pull/209", "name": "https://github.com/sh4nks/flask-caching/pull/209", "refsource": "MISC"}, {"url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937", "name": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-33026", "STATE": "PUBLIC", "ASSIGNER": "[email protected]"}}}}, "cveMetadata": {"cveId": "CVE-2021-33026", "state": "PUBLISHED", "dateUpdated": "2024-08-03T23:42:19.075Z", "dateReserved": "2021-05-13T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2021-05-13T22:51:20", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flask-caching_project:flask-caching:*:*:*:*:*:flask:*:*", "matchCriteriaId": "04389DFA-32B3-4F65-BBDB-6321BA631F81", "versionEndIncluding": "1.10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision"}, {"lang": "es", "value": "** EN DISPUTA ** La extensi\u00f3n Flask-Caching hasta la versi\u00f3n 1.10.1 para Flask se basa en Pickle para la serializaci\u00f3n, lo que puede llevar a la ejecuci\u00f3n remota de c\u00f3digo o a la escalada local de privilegios. Si un atacante obtiene acceso al almacenamiento de la cach\u00e9 (por ejemplo, el sistema de archivos, Memcached, Redis, etc.), puede construir una carga \u00fatil manipulada, envenenar la cach\u00e9 y ejecutar c\u00f3digo Python. NOTA: un tercero indica que la explotaci\u00f3n es extremadamente improbable a menos que la m\u00e1quina ya est\u00e9 comprometida; en otros casos, el atacante no podr\u00eda escribir su carga \u00fatil en la cach\u00e9 y generar la colisi\u00f3n necesaria"}], "id": "CVE-2021-33026", "lastModified": "2024-11-21T06:08:09.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-05-13T23:15:07.367", "references": [{"source": "[email protected]", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sh4nks/flask-caching/pull/209"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sh4nks/flask-caching/pull/209"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}