Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-22mf-97vh-x8rw

Опубликовано: 13 июн. 2019
Источник: github
Github: Прошло ревью
CVSS4: 7.2
CVSS3: 7.5

Описание

Deserialization vulnerability exists in parso

** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."

Пакеты

Наименование

parso

pip
Затронутые версииВерсия исправления

<= 0.4.0

Отсутствует

EPSS

Процентиль: 70%
0.00665
Низкий

7.2 High

CVSS4

7.5 High

CVSS3

Дефекты

CWE-502

Связанные уязвимости

CVSS3: 3.3
ubuntu
около 6 лет назад

** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."

CVSS3: 3.3
nvd
около 6 лет назад

A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration.

CVSS3: 3.3
debian
около 6 лет назад

A deserialization vulnerability exists in the way parso through 0.4.0 ...

EPSS

Процентиль: 70%
0.00665
Низкий

7.2 High

CVSS4

7.5 High

CVSS3

Дефекты

CWE-502