Bug 1186052 - (CVE-2021-33026) VUL-1: CVE-2021-33026: python-Flask-Caching: The Flask-Caching extension relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation.
(CVE-2021-33026)
VUL-1: CVE-2021-33026: python-Flask-Caching: The Flask-Caching extension reli...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/284265/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-14 09:31 UTC by Gianluca Gabrielli
Modified: 2021-10-21 14:39 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-14 09:31:55 UTC
CVE-2021-33026

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for
serialization, which may lead to remote code execution or local privilege
escalation. If an attacker gains access to cache storage (e.g., filesystem,
Memcached, Redis, etc.), they can construct a crafted payload, poison the cache,
and execute Python code.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33026
https://github.com/sh4nks/flask-caching/pull/209
Comment 2 Arun Persaud 2021-10-14 16:19:40 UTC
I'm not the right person for this unless this will be automatically fixed by updating to the latest version if there is a new one. (all I do is updating the tar-ball to the latest version every now and then).
Comment 3 Chenzi Cao 2021-10-15 06:32:22 UTC
Hi Gianluca, is this issue opened for Leap42.3 please? Leap42.3 is out of openSUSE officially support, would you please confirm whether it is for newer openSUSE product please? Thanks.
Comment 4 Gianluca Gabrielli 2021-10-21 14:39:48 UTC
Hi Chenzi,

I meant openSUSE:Factory/python-Flask-Caching (currently v.1.9.0). Anyway the mentioned PR [0] is not merged yet, so I think there's nothing to do here for now. Let's keep this issue open to track this security bug.

[0] https://github.com/sh4nks/flask-caching/pull/209