CVE-2020-22083 log

Severity Low
Remote Yes
Type Arbitrary code execution
** DISPUTED ** jsonpickle allows arbitrary code execution during deserialisation of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with untrusted data.
Group Package Affected Fixed Severity Status Ticket
AVG-1370 python-jsonpickle 1.5.2-3 Low Vulnerable
The jsonpickle README file states that decode() should not be used for untrusted inputs: "WARNING: jsonpickle can execute arbitrary Python code. Do not load jsonpickles from untrusted / unauthenticated sources."