Description
The Python standard library has a module called pickle that is used for serializing and deserializing objects. It's widely regarded as dangerous to unpickle data from any untrusted source.
It was determined that this web application unpickles data from user-controlled input.
Remediation
The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
References
Related Vulnerabilities
WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2017-5645)
WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-28032)
Java Debug Wire Protocol remote code execution
Oracle WebLogic Remote Code Execution via T3
RubyGems Deserialization of Untrusted Data Vulnerability (CVE-2018-1000074)