CVE-2020-22083 log

Source
Severity Low
Remote Yes
Type Arbitrary code execution
Description
** DISPUTED ** jsonpickle allows arbitrary code execution during deserialisation of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with untrusted data.
Group Package Affected Fixed Severity Status Ticket
AVG-1370 python-jsonpickle 1.5.2-1 Low Vulnerable
References
https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874
https://github.com/jsonpickle/jsonpickle/issues/332
https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/
https://github.com/j0lt-github/python-deserialization-attack-payload-generator
Notes
The jsonpickle README file states that decode() should not be used for untrusted inputs: "WARNING: jsonpickle can execute arbitrary Python code. Do not load jsonpickles from untrusted / unauthenticated sources."