---

CVE-2020-22083 - log back

CVE-2020-22083 edited at 09 Jun 2021 19:56:08
Remote	- Local + Remote
Description	- jsonpickle allows arbitrary code execution during deserialisation of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with untrusted data. + ** DISPUTED ** jsonpickle allows arbitrary code execution during deserialisation of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with untrusted data.

CVE-2020-22083 edited at 02 Jan 2021 11:25:13
Severity	- High + Low

CVE-2020-22083 edited at 02 Jan 2021 11:15:22

Description

- jsonpickle allows arbitrary code execution during deserialization of a malicious payload through the decode() function. + jsonpickle allows arbitrary code execution during deserialisation of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with untrusted data.

CVE-2020-22083 edited at 18 Dec 2020 14:46:14
Notes	+ The jsonpickle README file states that decode() should not be used for untrusted inputs: "WARNING: jsonpickle can execute arbitrary Python code. Do not load jsonpickles from untrusted / unauthenticated sources."

CVE-2020-22083 edited at 17 Dec 2020 20:36:49
Severity	- Unknown + High
Remote	- Unknown + Local
Type	- Unknown + Arbitrary code execution
Description	+ jsonpickle allows arbitrary code execution during deserialization of a malicious payload through the decode() function.
References	+ https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874 + https://github.com/jsonpickle/jsonpickle/issues/332 + https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/ + https://github.com/j0lt-github/python-deserialization-attack-payload-generator
Notes

CVE-2020-22083 created at 17 Dec 2020 20:29:47