Description

The Python standard library has a module called pickle that is used for serializing and deserializing objects. It's widely regarded as dangerous to unpickle data from any untrusted source.

It was determined that this web application unpickles data from user-controlled input.

Remediation

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

References

Security issues

Dangerous Pickles

Related Vulnerabilities

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2017-5645)

WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-28032)

Java Debug Wire Protocol remote code execution

Oracle WebLogic Remote Code Execution via T3

RubyGems Deserialization of Untrusted Data Vulnerability (CVE-2018-1000074)

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Insecure Deserialization