1850105 – (CVE-2013-7489) CVE-2013-7489 python-beaker: Deserialization of Untrusted Data which can lead to Arbitrary code execution

Bug 1850105 (CVE-2013-7489) - CVE-2013-7489 python-beaker: Deserialization of Untrusted Data which can lead to Arbitrary code execution

Summary: CVE-2013-7489 python-beaker: Deserialization of Untrusted Data which can lea...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2013-7489
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1849014 (view as bug list)
Depends On:	1850106 1852679
Blocks:	1850107
TreeView+	depends on / blocked

Reported:	2020-06-23 14:40 UTC by Michael Kaplan
Modified:	2021-11-01 17:13 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in python-beaker, where it is affected by the deserialization of untrusted data. This flaw allows an attacker to enter malicious payloads into the cache database (for example, if they are on the network and have credentials for the database), to perform remote code execution on the machine running Beaker, due to the deserialization of data from the cache database by Pickle.
Clone Of:
Environment:
Last Closed:	2021-11-01 17:13:34 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2020-06-23 14:40:09 UTC

python-beaker is affected by Deserialization of untrusted data which could lead to Arbitrary code execution.

References:

https://github.com/bbangert/beaker/issues/191
https://www.openwall.com/lists/oss-security/2020/05/14/11

Comment 1 Michael Kaplan 2020-06-23 14:40:23 UTC

Created python-beaker tracking bugs for this issue:

Affects: fedora-all [bug 1850106]

Comment 8 Riccardo Schirone 2020-06-30 10:00:24 UTC

*** Bug 1849014 has been marked as a duplicate of this bug. ***

Comment 9 Todd Cullum 2020-06-30 18:52:35 UTC

Flaw summary:
If an attacker is able to enter malicious payloads into the cache database (e.g. if they are on the network and have creds for the database), they could get remote code execution on the machine running Beaker due to deserialization of data from the cache database by Pickle.

Comment 11 Todd Cullum 2020-06-30 18:57:14 UTC

Mitigation:

Implementing proper access control on the Beaker cache database, to prevent unauthorized writes into the database, will mitigate exploitation of this flaw. This flaw also cannot be triggered if the Cache functionality of Beaker is not used. When using the Session feature of Beaker, use the signing functionality to verify the integrity of the data retrieved from the database before deserialization.

Comment 13 Todd Cullum 2020-07-01 04:52:32 UTC

There is not yet a patch for this but the maintainer has suggested implementing signing of the cache data upon commit to the database to be verified upon retrieval.

Note You need to log in before you can comment on or make changes to this bug.