Bug 760687 (CVE-2020-22083)

Summary:	dev-python/jsonpickle: insecure deserialization (CVE-2020-22083)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	major	CC:	mgorny, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/jsonpickle/jsonpickle/issues/332
Whiteboard:	B1 [upstream]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2020-12-19 02:54:56 UTC

CVE-2020-22083 (https://github.com/jsonpickle/jsonpickle/issues/332):

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.


Contrary to the CVE description I've tested 1.4.2 and it's vulnerable too.  Unfortunately upstream doesn't think this is an issue and just suggests only deserializing trusted data.

Comment 1 Michał Górny archtester

2020-12-19 08:43:41 UTC

So what am I supposed to do about it?

Comment 2 John Helmert III archtester

2020-12-19 08:52:02 UTC

(In reply to Michał Górny from comment #1)
> So what am I supposed to do about it?

Nothing for you to do that I can see

Comment 3 Sam James archtester

2020-12-19 11:24:51 UTC

In general, there’s nothing we can do for “untrusted pickling”. You shouldn’t do it and it’s documented everywhere, including on jsonpickle’s front page. It shouldn’t have received a CVE unless there’s folks actually doing it - which would be a bug in the consumers.