Miggo Logo

CVE-2013-7489: Deserialization of Untrusted Data in Beaker

6.8

CVSS Score
3.1

Basic Information

EPSS Score
0.15412%
Published
5/5/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Beakerpip<= 1.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Beaker's cache mechanism using pickle for deserialization without HMAC/signature verification. Multiple sources (GHSA-3cwm-7jmm-774w, CVE-2013-7489, and related issues) confirm that the Cache component lacks the security measures present in Sessions. The _load_data method in Cache and the general deserialize utility function are directly responsible for unpickling untrusted data from cache backends. This matches the CWE-502 pattern of unsafe deserialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ***k*r li*r*ry t*rou** *.**.* *or Pyt*on is *****t** *y **s*ri*liz*tion o* untrust** **t*, w*i** *oul* l*** to *r*itr*ry *o** *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom ***k*r's ***** m****nism usin* pi*kl* *or **s*ri*liz*tion wit*out *M**/si*n*tur* v*ri*i**tion. Multipl* sour**s (**S*-**wm-*jmm-***w, *V*-****-****, *n* r*l*t** issu*s) *on*irm t**t t** ***** *ompon*nt l**ks t** s**urity