Miggo Logo

CVE-2021-33026: Deserialization of Untrusted Data in Flask-Caching

4.2

CVSS Score
3.1

Basic Information

EPSS Score
0.95244%
Published
6/18/2021
Updated
8/16/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Flask-Cachingpip<= 1.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Flask-Caching's reliance on pickle for serialization. The serializer's loads() method directly uses pickle.loads(), which is inherently unsafe for untrusted data. The BaseCache class's _loads method propagates this vulnerability by using the default pickle-based serializer. These functions create an RCE vector when combined with cache poisoning. The assessment is supported by the CVE description, GitHub advisory discussion about pickle usage, and code changes in PR #209 that specifically target serialization mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*sk-***** ***s **sy ***** support to *l*sk. T** *l*sk-****in* *xt*nsion t*rou** *.**.* *or *l*sk r*li*s on Pi*kl* *or s*ri*liz*tion, w*i** m*y l*** to r*mot* *o** *x**ution or lo**l privil*** *s**l*tion. I* *n *tt**k*r **ins ****ss to ***** stor***

Reasoning

T** vuln*r**ility st*ms *rom *l*sk-****in*'s r*li*n** on `pi*kl*` *or s*ri*liz*tion. T** s*ri*liz*r's `lo**s()` m*t*o* *ir**tly us*s `pi*kl*.lo**s()`, w*i** is in**r*ntly uns*** *or untrust** **t*. T** `**s******` *l*ss's `_lo**s` m*t*o* prop***t*s t