Description

The Python standard library has a module called pickle that is used for serializing and deserializing objects. It's widely regarded as dangerous to unpickle data from any untrusted source.

It was determined that this web application unpickles data from user-controlled input.

Remediation

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

References

Security issues

Dangerous Pickles

Related Vulnerabilities

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2022-23302)

Liferay TunnelServlet Deserialization Remote Code Execution

Deserialization of Untrusted Data (Java Object Deserialization)

SAP Hybris Deserialization RCE

TYPO3 Deserialization of Untrusted Data Vulnerability (CVE-2019-12747)

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Insecure Deserialization