GHSA-8rq8-f485-7v8x

Source

https://github.com/advisories/GHSA-8rq8-f485-7v8x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8rq8-f485-7v8x/GHSA-8rq8-f485-7v8x.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-8rq8-f485-7v8x

Aliases

CVE-2022-35411

Published

2022-07-09T00:00:19Z

Modified

2025-02-16T06:01:50.037656Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

rpc.py vulnerable to Deserialization of Untrusted Data

Details

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

Per the maintainer, rpc.py is not designed for an API that is open to the outside world, and external requests cannot reach rpc.py in real world use.

A fix exists on the master branch. As a workaround, use the following code to turn off pickle in older versions: ``` del SERIALIZERNAMES[PickleSerializer.name] del SERIALIZERTYPES[PickleSerializer.content_type]

Database specific

{
    "nvd_published_at": "2022-07-08T19:15:00Z",
    "github_reviewed_at": "2022-07-12T17:55:02Z",
    "cwe_ids": [
        "CWE-502",
        "CWE-522"
    ],
    "github_reviewed": true,
    "severity": "CRITICAL"
}

References

Affected packages

PyPI / rpc-py

Package

Name: rpc-py; View open source insights on deps.dev
Purl: pkg:pypi/rpc-py

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.4.2

Last affected

0.6.0

Affected versions

0.*

0.4.2

0.4.3

0.5.0

0.5.1

0.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8rq8-f485-7v8x/GHSA-8rq8-f485-7v8x.json"