Vulnerabilities > CVE-2020-22083 - Deserialization of Untrusted Data vulnerability in Jsonpickle Project Jsonpickle
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874
- https://github.com/jsonpickle/jsonpickle/issues/332
- https://github.com/j0lt-github/python-deserialization-attack-payload-generator
- https://versprite.com/blog/application-security/into-the-jar-jsonpickle-exploitation/
- https://access.redhat.com/security/cve/CVE-2020-22083
- https://github.com/jsonpickle/jsonpickle/issues/332#issuecomment-747807494