CVE-2021-33026: Improper Privilege Management

May 13, 2021 (updated November 9, 2023)

The Flask-Caching extension for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.

References

nvd.nist.gov/vuln/detail/CVE-2021-33026

Detect and mitigate CVE-2021-33026 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →