CVE-2013-7489: Deserialization of Untrusted Data in Beaker
6.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.15412%
CWE
Published
5/5/2022
Updated
1/29/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Beaker | pip | <= 1.11.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Beaker's cache mechanism using pickle for deserialization without HMAC/signature verification. Multiple sources (GHSA-3cwm-7jmm-774w, CVE-2013-7489, and related issues) confirm that the Cache component lacks the security measures present in Sessions. The _load_data method in Cache and the general deserialize utility function are directly responsible for unpickling untrusted data from cache backends. This matches the CWE-502 pattern of unsafe deserialization.