Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2021-33026

Published: 13/05/2021 Updated: 11/04/2024
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Flask-caching

Vulnerability Summary

The Flask-Caching extension up to and including 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

flask-caching project flask-caching

Vendor Advisories

Debian CVElist Bug Report Logs: flask-caching: CVE-2021-33026
Debian Bug report logs - #988916 flask-caching: CVE-2021-33026 Package: src:flask-caching; Maintainer for src:flask-caching is Debian Python Team <team+python@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 21 May 2021 12:03:01 UTC Severity: important Tags: security, upstream Fo ...
Arch Linux Issues:
The Flask-Caching extension through 1101 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation If an attacker gains access to cache storage (eg, filesystem, Memcached, Redis, etc), they can construct a crafted payload, poison the cache, and execute Python code ...

Github Repositories

https://github.com/CarlosG13/CVE-2021-33026

Pickle Serialization Remote Code Execution - Memcached Poisoning

CVE-2021-33026 Pickle Serialization Remote Code Execution - Memcached Poisoning PoC Exploit What's CVE-2021-3306? "The Flask-Caching extension through 1101 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation If an attacker gains access to cache storage (eg, filesystem, Memcached, Redis, etc), they

References

CWE-502https://github.com/sh4nks/flask-caching/pull/209https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988916https://nvd.nist.govhttps://github.com/CarlosG13/CVE-2021-33026https://security.archlinux.org/CVE-2021-33026
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-26925CVE-2023-41826LFICVE-2022-22364CVE-2024-2887command injectionremote code executionCVE-2024-34446CVE-2022-48699
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook