CVE-2023-33175 – CVE-2023-33175 is a critical vulnerability in t... (How to Fix)

📋 TL;DR

CVE-2023-33175 is a critical vulnerability in the ToUI Python package where Flask-Caching's SimpleCache improperly stores user variables, potentially allowing attackers to access or manipulate sensitive data. This affects websites using the Website.user_vars property in ToUI versions 2.0.1 through 2.4.0. The vulnerability has been patched in version 2.4.1.

💻 Affected Systems

Products:

ToUI Python package

Versions: 2.0.1 to 2.4.0

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Website.user_vars property with Flask-Caching (SimpleCache).

📦 What is this software?

Toui by Toui Project

View all CVEs affecting Toui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access or modify sensitive user data stored in user_vars, potentially leading to data breaches, session hijacking, or unauthorized actions.

🟠

Likely Case

Unauthorized access to user-specific data stored in the vulnerable caching mechanism, compromising user privacy and application integrity.

🟢

If Mitigated

With proper access controls and patching, the risk is minimized to acceptable levels with no data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation likely requires understanding of the application's caching implementation but is technically straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1

Vendor Advisory: https://github.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563

Restart Required: Yes

Instructions:

1. Update ToUI package using pip: pip install --upgrade toui==2.4.1
2. Restart all applications using ToUI
3. Verify the update was successful

🔧 Temporary Workarounds

Disable Flask-Caching for user_vars

all

Temporarily disable caching for user variables until patching is complete

Modify application code to avoid using Website.user_vars with Flask-Caching

🧯 If You Can't Patch

Implement strict access controls and monitoring for the caching layer
Isolate affected applications from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check ToUI version: pip show toui | grep Version

Check Version:

pip show toui | grep Version

Verify Fix Applied:

Confirm version is 2.4.1 or higher: pip show toui | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Flask-Caching endpoints
Multiple failed cache access attempts

Network Indicators:

Suspicious requests to caching-related endpoints

SIEM Query:

source="application_logs" AND ("Flask-Caching" OR "user_vars") AND status="200"

📊 Metadata

CVE ID: CVE-2023-33175

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-914

Published: May 30, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1 Release Notes
https://github.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563 Vendor Advisory
https://github.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1 Release Notes
https://github.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33175, you might also want to check these: