CVE-2020-22083 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Arbitrary code execution
Description	DISPUTED jsonpickle allows arbitrary code execution during deserialisation of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with untrusted data.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1370	python-jsonpickle	1.5.2-1		Low	Vulnerable

References
https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874 https://github.com/jsonpickle/jsonpickle/issues/332 https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/ https://github.com/j0lt-github/python-deserialization-attack-payload-generator

References

https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874
https://github.com/jsonpickle/jsonpickle/issues/332
https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/
https://github.com/j0lt-github/python-deserialization-attack-payload-generator

Notes
The jsonpickle README file states that decode() should not be used for untrusted inputs: "WARNING: jsonpickle can execute arbitrary Python code. Do not load jsonpickles from untrusted / unauthenticated sources."

Notes

The jsonpickle README file states that decode() should not be used for untrusted inputs: "WARNING: jsonpickle can execute arbitrary Python code. Do not load jsonpickles from untrusted / unauthenticated sources."