Summary: | dev-python/jsonpickle: insecure deserialization (CVE-2020-22083) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | major | CC: | mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/jsonpickle/jsonpickle/issues/332 | ||
Whiteboard: | B1 [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2020-12-19 02:54:56 UTC
So what am I supposed to do about it? (In reply to Michał Górny from comment #1) > So what am I supposed to do about it? Nothing for you to do that I can see In general, there’s nothing we can do for “untrusted pickling”. You shouldn’t do it and it’s documented everywhere, including on jsonpickle’s front page. It shouldn’t have received a CVE unless there’s folks actually doing it - which would be a bug in the consumers. |