PT-2020-15423 · Jsonpickle+2 · Jsonpickle+2

J0Lt-Github

Published

2020-12-17

Updated

2024-08-04

CVE-2020-22083

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions jsonpickle versions 1.4.1 and earlier

Description The issue allows remote code execution during deserialization of a malicious payload through the decode() function. It has been argued that this is expected and clearly documented behavior, as pickle is known to be capable of causing arbitrary code execution and must not be used with un-trusted data.

Recommendations For jsonpickle versions 1.4.1 and earlier, consider disabling the decode() function until a patch is available or ensure that it is only used with trusted data to minimize the risk of exploitation.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2021-2614

CVE-2020-22083

GHSA-J66Q-QMRC-89RX

PYSEC-2020-49

Affected Products

Alt Linux

Debian

Jsonpickle

PT-2020-15423 · Jsonpickle+2 · Jsonpickle+2

CVE-2020-22083

Weakness Enumeration

Related Identifiers

Affected Products

References · 22