GHSA-j66q-qmrc-89rx

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS4: 9.3

CVSS3: 9.8

Описание

jsonpickle unsafe deserialization

jsonpickle through 1.4.2 allows remote code execution during deserialization of a malicious payload through the decode() function. This CVE is disputed by the project author as intended functionality.

Ссылки

Пакеты

Наименование

jsonpickle

pip

Затронутые версииВерсия исправления

<= 1.4.2

Отсутствует

EPSS

Процентиль: 89%

0.04696

Низкий

9.3 Critical

CVSS4

9.8 Critical

CVSS3

CVE ID

CVE-2020-22083

Дефекты

CWE-502

Связанные уязвимости

CVE-2020-22083

CVSS3: 9.8

ubuntu

около 5 лет назад

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data

CVE-2020-22083

redhat

около 5 лет назад

CVE-2020-22083

CVSS3: 9.8

nvd

около 5 лет назад

CVE-2020-22083

CVSS3: 9.8

debian

около 5 лет назад

jsonpickle through 1.4.1 allows remote code execution during deseriali ...

EPSS

Процентиль: 89%

0.04696

Низкий

9.3 Critical

CVSS4

9.8 Critical

CVSS3

CVE ID

CVE-2020-22083

Дефекты

CWE-502