CVE-2021-33026
Remote Code Execution vulnerability in flask-caching (PyPI)
What is CVE-2021-33026 About?
This vulnerability in Flask-Caching allows for remote code execution or local privilege escalation due to its reliance on Pickle for serialization. Attackers who can write to and control cache storage can craft malicious payloads. Exploitation requires several specific preconditions, making it dependent on an already compromised or severely misconfigured system.
Affected Software
Technical Details
The Flask-Caching extension, through version 1.10.1, uses Python's Pickle module for serializing cached data. The Pickle module is known to be insecure against maliciously constructed data, which can lead to arbitrary code execution during deserialization. An attacker can exploit this by first gaining write access to the cache storage mechanism (e.g., filesystem, Memcached, Redis). Once this access is established, the attacker can construct and inject a crafted Pickle payload into the cache. Subsequently, if the application attempts to read a cache key that collides with the attacker's injected payload, the malicious data will be deserialized, leading to the execution of arbitrary Python code on the server or escalation of privileges. The vulnerability hinges on the ability to both write arbitrary values to the cache and cause the application to read those malicious values through a cache key collision.
What is the Impact of CVE-2021-33026?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the application, gain full control over the compromised system, or achieve privilege escalation.
What is the Exploitability of CVE-2021-33026?
Exploitation of this vulnerability is complex, requiring multiple prerequisites. An attacker needs to have remote or local access to write arbitrary values into the application's cache storage (e.g., filesystem, Memcached, Redis). Additionally, the attacker must be capable of generating a cache key that causes a collision with a legitimate value being read by the application. No specific authentication is required at the application level if the attacker has direct access to the cache backend. The vulnerability relies on the application already having significant security flaws that allow cache manipulation, increasing the likelihood of exploitation if such conditions are met.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| CarlosG13 | Link | Pickle Serialization Remote Code Execution - Memcached Poisoning |
| Agilevatester | Link | PoC for CVE-2021-33026 |
What are the Available Fixes for CVE-2021-33026?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-656c-6cxf-hvcv
- https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937
- https://github.com/sh4nks/flask-caching
- https://github.com/sh4nks/flask-caching/pull/209
- https://nvd.nist.gov/vuln/detail/CVE-2021-33026
- https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937
- https://github.com/sh4nks/flask-caching/pull/209
- https://github.com/pypa/advisory-database/tree/main/vulns/flask-caching/PYSEC-2021-13.yaml
- https://osv.dev/vulnerability/GHSA-656c-6cxf-hvcv
What are Similar Vulnerabilities to CVE-2021-33026?
Similar Vulnerabilities: CVE-2020-9489 , CVE-2018-1000656 , CVE-2017-1000049 , CVE-2017-18637 , CVE-2019-10086
