Описание
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data
Python-jsonpickle allows remote code execution during deserialization of a malicious payload through the decode() function.
Отчет
Both jsonpickle and pickle are documented as being able to execute arbitrary code when loading pickles, and intended for use only with trusted data. This is expected behaviour, as clearly indicated in the jsonpickle README and at https://docs.python.org/3/library/pickle.html
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Tower 3 | python-jsonpickle | Not affected | ||
| Red Hat Quay 3 | python-jsonpickle | Not affected |
Показывать по
Дополнительная информация
EPSS
0 Low
CVSS3
Связанные уязвимости
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data
jsonpickle through 1.4.1 allows remote code execution during deseriali ...
EPSS
0 Low
CVSS3