Vulnerabilities > CVE-2019-12760 - Deserialization of Untrusted Data vulnerability in Parso Project Parso

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

parso-project

CWE-502

NVD

Published: 2019-06-06

Updated: 2024-04-11

Summary

A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration.

Vulnerable Configurations

Part	Description	Count
Application	Parso_Project Parso Project Parso 0.0.1 Parso Project Parso 0.0.2 Parso Project Parso 0.0.3 Parso Project Parso 0.0.4 Parso Project Parso 0.1.0 Parso Project Parso 0.1.1 Parso Project Parso 0.2.0 Parso Project Parso 0.2.1 Parso Project Parso 0.3.0 Parso Project Parso 0.3.1 Parso Project Parso 0.3.2 Parso Project Parso 0.3.3 Parso Project Parso 0.3.4 Parso Project Parso 0.4.0	14

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References