Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A way to make flask-caching optional / use a different caching mechanism #15271

Closed
michalc opened this issue Jun 19, 2021 · 4 comments
Closed

A way to make flask-caching optional / use a different caching mechanism #15271

michalc opened this issue Jun 19, 2021 · 4 comments

Comments

@michalc
Copy link

michalc commented Jun 19, 2021
edited
Loading

Is your feature request related to a problem? Please describe.

flask-caching has a published vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-33026#vulnCurrentDescriptionTitle where access to the cache store would lead to authorised code execution in Superset. Unfortunately, a fix does not appear available at this time.

Describe the solution you'd like

A way to not use Flask caching in Superset.

Describe alternatives you've considered

Forking Superset...

Additional context

pallets-eco/flask-caching#209
apache/airflow#16541
@michalc michalc mentioned this issue Jun 19, 2021
Closed
@dpgaspar
Copy link
Member

Hi @michalc,

This should have followed our responsible disclosure policy that is explicitly declared when you create a security issue on Github

## DO NOT REPORT SECURITY VULNERABILITIES HERE

Please report security vulnerabilities to [email protected].

In the event a community member discovers a security flaw in Superset, it is important to follow the [Apache Security Guidelines](https://www.apache.org/security/committers.html) and release a fix as quickly as possible before public disclosure. Reporting security vulnerabilities through the usual GitHub Issues channel is not ideal as it will publicize the flaw before a fix can be applied.

We follow Apache security Guidelines has stated above, so please send a copy to [email protected] and we'll followup on this there. Thank you

@michalc
Copy link
Author

michalc commented Jun 19, 2021

My apologies… I guess I (mis-)assumed that since the vulnerability in flask-caching is public, there was nothing remaining to disclose or report, and all discussion could be public.

@ThiefMaster
Copy link

IMHO the CVE is bogus. If someone has write access to your cache's storage, you are most likely already compromised.

@tooptoop4
Copy link
Contributor

did u fix @michalc ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@michalc @ThiefMaster @dpgaspar @tooptoop4