Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 760687 (CVE-2020-22083)

Summary: dev-python/jsonpickle: insecure deserialization (CVE-2020-22083)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/jsonpickle/jsonpickle/issues/332
Whiteboard: B1 [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2020-12-19 02:54:56 UTC
CVE-2020-22083 (https://github.com/jsonpickle/jsonpickle/issues/332):

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.


Contrary to the CVE description I've tested 1.4.2 and it's vulnerable too.  Unfortunately upstream doesn't think this is an issue and just suggests only deserializing trusted data.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 08:43:41 UTC
So what am I supposed to do about it?
Comment 2 John Helmert III gentoo-dev Security 2020-12-19 08:52:02 UTC
(In reply to Michał Górny from comment #1)
> So what am I supposed to do about it?

Nothing for you to do that I can see
Comment 3 Sam James archtester gentoo-dev Security 2020-12-19 11:24:51 UTC
In general, there’s nothing we can do for “untrusted pickling”. You shouldn’t do it and it’s documented everywhere, including on jsonpickle’s front page. It shouldn’t have received a CVE unless there’s folks actually doing it - which would be a bug in the consumers.