Vulnerabilities > CVE-2020-13091 - Deserialization of Untrusted Data vulnerability in Numfocus Pandas
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the read_pickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/0FuzzingQ/vuln/blob/master/pandas%20unserialize.md
- https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html
- https://github.com/0FuzzingQ/vuln/blob/master/pandas%20unserialize.md
- https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html